Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Rust: new query rust/hardcoded-crytographic-value #18943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 30 commits into
base: main
Choose a base branch
Loading
from
+728 −4
Open

Rust: new query rust/hardcoded-crytographic-value #18943

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
9a35feb
Rust: Query framework and basic tests.
geoffw0 Mar 3, 2025
bd75f01
Rust: More test cases.
geoffw0 Mar 5, 2025
9fb00da
Rust: Implement the query (with one source, one sink model).
geoffw0 Mar 3, 2025
a6e106e
Rust: Model more sinks + flows.
geoffw0 Mar 4, 2025
aacbfc0
Rust: Improve alert messages.
geoffw0 Mar 5, 2025
055baf2
Rust: Improve results on arrays (less duplication).
geoffw0 Mar 6, 2025
ac94ac6
Rust: Model even more sinks + flows.
geoffw0 Mar 6, 2025
b4a6063
Rust: Add std::mem::zeroed as a source.
geoffw0 Mar 6, 2025
95be12e
Rust: Add qhelp and examples.
geoffw0 Mar 6, 2025
e564c41
Rust: Compute security-severity tag.
geoffw0 Mar 6, 2025
952e417
Rust: Tweak some wording.
geoffw0 Mar 6, 2025
9af2d02
Rust: Add the new sinks to stats.
geoffw0 Mar 6, 2025
42e7d1e
Rust: Fix typo.
geoffw0 Mar 6, 2025
b6c9be2
Merge branch 'main' into constcrypto
geoffw0 Mar 7, 2025
19416a9
Rust: Correct test results.
geoffw0 Mar 7, 2025
c63c1be
Rust: Accept integration test .expected changes.
geoffw0 Mar 7, 2025
3dc35f1
Rust: Accept more test changes.
geoffw0 Mar 7, 2025
fdb4362
Merge remote-tracking branch 'upstream/main' into constcrypto
geoffw0 Mar 7, 2025
b4e710f
Rust: Add missing models (for some platforms???).
geoffw0 Mar 7, 2025
e84a98b
Apply suggestions from code review
geoffw0 Mar 10, 2025
a34f9be
Rust: Add a test case for getrandom.
geoffw0 Mar 10, 2025
9e54d53
Rust: Add barrier.
geoffw0 Mar 10, 2025
1ca5c59
Rust: Replace imports of internal.DataFlowImpl where possible.
geoffw0 Mar 10, 2025
e3beacb
Rust: Print models (temporary, to see how this differs on CI).
geoffw0 Mar 10, 2025
a0f4fa2
Rust: hardcoded -> hard-coded.
geoffw0 Mar 11, 2025
704b385
Rust: Fix a mistake in the test.
geoffw0 Mar 17, 2025
81edb47
Merge branch 'main' into constcrypto
geoffw0 Mar 17, 2025
f5daec9
Rust: Fix after merge.
geoffw0 Mar 17, 2025
07011f7
Rust: Fix more after merge.
geoffw0 Mar 17, 2025
898c569
Rust: Change note.
geoffw0 Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Rust: Add qhelp and examples.
  • Loading branch information
@geoffw0
geoffw0 committed Mar 6, 2025
commit 95be12ed80f96af4df5d8658037630485e42975b
58 changes: 58 additions & 0 deletions 58 rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>

<overview>
<p>
Hardcoded passwords, keys, initialization vectors and salts should not be used for cryptographic operations.
geoffw0 marked this conversation as resolved.
Show resolved Hide resolved
</p>
<ul>
<li>
Attackers can easily recover hardcoded values if they have access to the source code or compiled executable.
</li>
<li>
Some hardcoded values may be easily guessable.
</li>
<li>
Hardcoded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
</li>
</ul>

</overview>
<recommendation>

<p>
Use randomly generated key material, initialization vectors and salts. Use strong passwords that are not hardcoded in source code.
</p>

</recommendation>
<example>

<p>
The following example shows instantiating a cipher with hardcoded key material, making the encrypted data vulnerable to recovery.
</p>

<sample src="HardcodedCryptographicValueBad.rs" />

<p>
In the fixed code below, the key material is randomly generated and not hardcoded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
</p>

<sample src="HardcodedCryptographicValueGood.rs" />

</example>
<references>

<li>
OWASP: <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
</li>
<li>
OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>
<li>
O'Reilly: <a href="https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html">Using Salts, Nonces, and Initialization Vectors</a>.
</li>

</references>
</qhelp>
2 changes: 2 additions & 0 deletions 2 rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption
let cipher = Aes256Gcm::new(&key.into());
2 changes: 2 additions & 0 deletions 2 rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
let cipher = Aes256Gcm::new(&key);
Morty Proxy This is a proxified and sanitized view of the page, visit original site.