ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.

Run Locally

Run in CI

Defintion

rules:
  - id: insufficient-rsa-key-size
    message: The RSA key size $SIZE is insufficent by NIST standards. It is
      recommended to use a key length of 2048 or higher.
    languages:
      - ruby
    severity: WARNING
    metadata:
      technology:
        - ruby
      category: security
      references:
        - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    patterns:
      - pattern-either:
          - pattern: OpenSSL::PKey::RSA.generate($SIZE,...)
          - pattern: OpenSSL::PKey::RSA.new($SIZE, ...)
          - patterns:
              - pattern-either:
                  - patterns:
                      - pattern-inside: |
                          $ASSIGN = $SIZE
                          ...
                      - pattern-either:
                          - pattern: OpenSSL::PKey::RSA.new($ASSIGN, ...)
                          - pattern: OpenSSL::PKey::RSA.generate($ASSIGN, ...)
                  - patterns:
                      - pattern-inside: |
                          def $METHOD1(...)
                          ...
                          $ASSIGN = $SIZE
                          ...
                          end
                          ...
                      - pattern-either:
                          - pattern: OpenSSL::PKey::RSA.new($ASSIGN, ...)
                          - pattern: OpenSSL::PKey::RSA.generate($ASSIGN, ...)
      - metavariable-comparison:
          metavariable: $SIZE
          comparison: $SIZE < 2048

Examples

insufficient-rsa-key-size.rb

class Test
    $key = 512
    $pass1 = 2048

    def initialize(key = nil, iv = nil)
        @key2 = 512
        @pass2 = 2048
        # ruleid: insufficient-rsa-key-size
        OpenSSL::PKey::RSA.new(@key2)
        # ruleid: insufficient-rsa-key-size
        OpenSSL::PKey::RSA.new 512
        bad
        bad1
        ok
    end

    def bad
        # ruleid: insufficient-rsa-key-size
        key = OpenSSL::PKey::RSA.new($key)
    end

    def bad1
        # ruleid: insufficient-rsa-key-size
        key = OpenSSL::PKey::RSA.new(@key2)
    end


    def ok
        # ok: insufficient-rsa-key-size
        key = OpenSSL::PKey::RSA.new($pass1)
        # ok: insufficient-rsa-key-size
        key = OpenSSL::PKey::RSA.new(@pass2)
        # ok: insufficient-rsa-key-size
        key = OpenSSL::PKey::RSA.new(2048)
    end
end