Skip to content

Commit

Permalink
fix(policies): Expand encryption detectors (#264)
Browse files Browse the repository at this point in the history 
* fix: extend encryption detectors

* chore: update snapshots

* fix: update snapshots

Co-authored-by: Cédric Fabianski <[email protected]>
  • Loading branch information
@elsapet @cfabianski
elsapet and cfabianski authored Dec 15, 2022
1 parent e047f56 commit b1bbbdc
Show file tree
Hide file tree
Showing 5 changed files with 184 additions and 0 deletions.
16 changes: 16 additions & 0 deletions integration/custom_detectors/.snapshots/TestCustomDetectors-ruby_weak_encryption_library
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,22 @@ risks:
parent:
line_number: 3
content: Digest::MD5.hexdigest(user.first_name)
- name: Gender identity
stored: false
locations:
- filename: integration/custom_detectors/testdata/ruby/weak_encryption_library.rb
line_number: 6
parent:
line_number: 6
content: Crypt::Blowfish.new("insecure").encrypt_block({ |u| user.gender_identity })
- name: Physical Address
stored: false
locations:
- filename: integration/custom_detectors/testdata/ruby/weak_encryption_library.rb
line_number: 4
parent:
line_number: 4
content: RC4.new("insecure").encrypt(user.address)
- detector_id: encrypt_method_call
data_types:
- name: Physical Address
Expand Down
31 changes: 31 additions & 0 deletions integration/custom_detectors/.snapshots/TestCustomDetectors-ruby_weak_password_encryption
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,14 @@ risks:
parent:
line_number: 20
content: Digest::MD5.hexdigest(user.first_name)
- name: Gender identity
stored: false
locations:
- filename: integration/custom_detectors/testdata/ruby/weak_password_encryption.rb
line_number: 22
parent:
line_number: 22
content: Crypt::Blowfish.new("insecure").encrypt_block({ |u| user.gender_identity })
- name: Passwords
stored: false
locations:
Expand All @@ -75,6 +83,29 @@ risks:
parent:
line_number: 2
content: Digest::MD5.hexdigest(user.password)
- filename: integration/custom_detectors/testdata/ruby/weak_password_encryption.rb
line_number: 4
parent:
line_number: 4
content: RC4.new("insecure").encrypt(user.password)
- filename: integration/custom_detectors/testdata/ruby/weak_password_encryption.rb
line_number: 5
parent:
line_number: 5
content: Crypt::Blowfish.new("insecure").encrypt_block({ |u| user.password })
- filename: integration/custom_detectors/testdata/ruby/weak_password_encryption.rb
line_number: 7
parent:
line_number: 7
content: OpenSSL::PKey::RSA.new(File.read('rsa.pem')).private_encrypt(customer.password)
- name: Physical Address
stored: false
locations:
- filename: integration/custom_detectors/testdata/ruby/weak_password_encryption.rb
line_number: 21
parent:
line_number: 21
content: RC4.new("insecure").encrypt(user.address)
- detector_id: encrypt_method_call
data_types:
- name: Passwords
Expand Down
59 changes: 59 additions & 0 deletions integration/flags/.snapshots/TestInitCommand
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,62 @@ scan:
minimum: null
maximum: null
match_violation: false
- pattern: |
RC4.new(...).encrypt(<$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::RSA.new($_, <$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::RSA.new(...).$METHOD(<$DATA_TYPE>)
filters:
- variable: METHOD
values:
- private_decrypt
- private_encrypt
- public_decrypt
- public_encrypt
minimum: null
maximum: null
match_violation: false
- pattern: |
OpenSSL::PKey::DSA.new($_, <$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::$LIBRARY.new(...).$METHOD($_, <$DATA_TYPE>)
filters:
- variable: $LIBRARY
values:
- DSA
- RSA
minimum: null
maximum: null
match_violation: false
- variable: METHOD
values:
- export
- to_pem
- to_s
minimum: null
maximum: null
match_violation: false
- pattern: |
Crypt::Blowfish.new(...).encrypt_pair
filters: []
- pattern: |
Crypt::Blowfish.new(...).$METHOD(<$DATA_TYPE>)
filters:
- variable: METHOD
values:
- encrypt_pair
- encrypt_string
- encrypt_block
- decrypt_pair
- decrypt_string
- decrypt_block
minimum: null
maximum: null
match_violation: false
root_singularize: false
root_lowercase: false
metavars: {}
Expand Down Expand Up @@ -385,6 +441,9 @@ scan:
- encrypt_pair
- encrypt_string
- encrypt_block
- decrypt_pair
- decrypt_string
- decrypt_block
minimum: null
maximum: null
match_violation: false
Expand Down
31 changes: 31 additions & 0 deletions integration/policies/.snapshots/TestPolicies-ruby_weak_password_encryption
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,26 @@ high:
parent_line_number: 4
parent_content: RC4.new("insecure").encrypt(user.password)
omit_parent: false
- policy_name: Force strong password encryption.
policy_display_id: CR-023
policy_description: Using a weak encryption or hashing library to encrypt passwords can lead to security breaches and data leaks. This policy checks if weak encryption or hashing libraries are used to encrypt passwords.
line_number: 5
filename: integration/policies/testdata/ruby/weak_password_encryption.rb
category_groups:
- PII
parent_line_number: 5
parent_content: Crypt::Blowfish.new("insecure").encrypt_block({ |u| user.password })
omit_parent: false
- policy_name: Force strong password encryption.
policy_display_id: CR-023
policy_description: Using a weak encryption or hashing library to encrypt passwords can lead to security breaches and data leaks. This policy checks if weak encryption or hashing libraries are used to encrypt passwords.
line_number: 7
filename: integration/policies/testdata/ruby/weak_password_encryption.rb
category_groups:
- PII
parent_line_number: 7
parent_content: OpenSSL::PKey::RSA.new(File.read('rsa.pem')).private_encrypt(customer.password)
omit_parent: false
- policy_name: Force strong password encryption.
policy_display_id: CR-023
policy_description: Using a weak encryption or hashing library to encrypt passwords can lead to security breaches and data leaks. This policy checks if weak encryption or hashing libraries are used to encrypt passwords.
Expand Down Expand Up @@ -90,6 +110,17 @@ low:
parent_line_number: 20
parent_content: RC4.new("insecure").encrypt(user.address)
omit_parent: false
- policy_name: Avoid weak encryption library.
policy_display_id: CR-024
policy_description: A weak encryption or hashing library can lead to data breaches and greater security risk. This policy checks for the use of weak encryption and hashing libraries or algorithms.
line_number: 21
filename: integration/policies/testdata/ruby/weak_password_encryption.rb
category_groups:
- PII
- Personal Data (Sensitive)
parent_line_number: 21
parent_content: Crypt::Blowfish.new("insecure").encrypt_block({ |u| user.gender_identity })
omit_parent: false


--
Expand Down
47 changes: 47 additions & 0 deletions pkg/commands/process/settings/custom_detector.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,50 @@ detect_ruby_weak_encryption:
- values:
- DSA
- RSA
- pattern: |
RC4.new(...).encrypt(<$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::RSA.new($_, <$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::RSA.new(...).$METHOD(<$DATA_TYPE>)
filters:
- variable: METHOD
values:
- private_decrypt
- private_encrypt
- public_decrypt
- public_encrypt
- pattern: |
OpenSSL::PKey::DSA.new($_, <$DATA_TYPE>)
filters: []
- pattern: |
OpenSSL::PKey::$LIBRARY.new(...).$METHOD($_, <$DATA_TYPE>)
filters:
- variable: $LIBRARY
values:
- DSA
- RSA
- variable: METHOD
values:
- export
- to_pem
- to_s
- pattern: |
Crypt::Blowfish.new(...).encrypt_pair
filters: []
- pattern: |
Crypt::Blowfish.new(...).$METHOD(<$DATA_TYPE>)
filters:
- variable: METHOD
values:
- encrypt_pair
- encrypt_string
- encrypt_block
- decrypt_pair
- decrypt_string
- decrypt_block
languages:
- "ruby"
initialize_ruby_rc4_encryption:
Expand Down Expand Up @@ -396,5 +440,8 @@ ruby_blowfish_method_call:
- encrypt_pair
- encrypt_string
- encrypt_block
- decrypt_pair
- decrypt_string
- decrypt_block
languages:
- "ruby"

0 comments on commit b1bbbdc

Please sign in to comment.