scala.lang.security.audit.rsa-padding-set.rsa-padding-set
returntocorpAuthor
unknown
Download Count*
License
Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with OAEPWithMD5AndMGF1Padding instead.
Run Locally
Run in CI
Defintion
rules:
- id: rsa-padding-set
metadata:
cwe:
- "CWE-780: Use of RSA Algorithm without OAEP"
owasp:
- A02:2021 - Cryptographic Failures
category: security
technology:
- scala
- cryptography
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
resources:
- https://blog.codacy.com/9-scala-security-issues/
confidence: HIGH
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
message: Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may
weaken encryption. This could lead to sensitive data exposure. Instead,
use RSA with `OAEPWithMD5AndMGF1Padding` instead.
severity: WARNING
languages:
- scala
patterns:
- pattern: |
$VAR = $CIPHER.getInstance($MODE)
- metavariable-regex:
metavariable: $MODE
regex: .*RSA/.*/NoPadding.*
Examples
rsa-padding-set.scala
class RSACipher {
def badRSACipher(): Void =
try {
// ruleid: rsa-padding-set
val c = Cipher.getInstance("RSA/None/NoPadding")
c.init(Cipher.ENCRYPT_MODE, k, iv)
val cipherText = c.doFinal(plainText)
} catch {
case NonFatal(e) => throw new RuntimeException("Encrypt error", e)
}
def okRSACipher(): Void =
try {
// ok: rsa-padding-set
var c = Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")
c.init(Cipher.ENCRYPT_MODE, k, iv)
val cipherText = c.doFinal(plainText)
} catch {
case NonFatal(e) => throw new RuntimeException("Encrypt error", e)
}
}
Short Link: https://sg.run/GO5p