diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml new file mode 100644 index 00000000..a2b9893c --- /dev/null +++ b/rules/kotlin/security/rsa-no-padding-kotlin.yml @@ -0,0 +1,14 @@ +id: rsa-no-padding-kotlin +severity: warning +language: kotlin +message: >- + Using RSA without OAEP mode weakens the encryption. +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +rule: + pattern: $YST.getInstance($MODE) +constraints: + MODE: + regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding' diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml new file mode 100644 index 00000000..fe7dc0d5 --- /dev/null +++ b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml @@ -0,0 +1,56 @@ +id: system-setproperty-hardcoded-secret-kotlin +language: kotlin +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_string_literal: + kind: string_literal + not: + regex: ^""$ + inside: + kind: value_argument + nthChild: 2 + inside: + stopBy: end + kind: value_arguments + has: + kind: value_argument + any: + - has: + kind: string_literal + regex: ^"javax.net.ssl.keyStorePassword"$ + - has: + kind: string_literal + regex: ^"javax.net.ssl.trustStorePassword"$ + + inside: + kind: call_suffix + inside: + kind: call_expression + has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: '^System$' + - has: + stopBy: end + kind: navigation_suffix + has: + stopBy: end + kind: simple_identifier + regex: '^setProperty$' + +rule: + any: + - matches: match_string_literal \ No newline at end of file diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml new file mode 100644 index 00000000..c700d787 --- /dev/null +++ b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml @@ -0,0 +1,24 @@ +id: rsa-no-padding-kotlin +snapshots: + ? | + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/NONE/NoPadding") + style: primary + start: 0 + end: 40 + ? | + Cipher.getInstance("RSA/None/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 + ? | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml new file mode 100644 index 00000000..ece4b45f --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml @@ -0,0 +1,50 @@ +id: system-setproperty-hardcoded-secret-kotlin +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: '"password"' + style: primary + start: 53 + end: 63 + - source: System + style: secondary + start: 0 + end: 6 + - source: setProperty + style: secondary + start: 7 + end: 18 + - source: .setProperty + style: secondary + start: 6 + end: 18 + - source: System.setProperty + style: secondary + start: 0 + end: 18 + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") + style: secondary + start: 0 + end: 64 + - source: ("javax.net.ssl.keyStorePassword", "password") + style: secondary + start: 18 + end: 64 + - source: '"javax.net.ssl.keyStorePassword"' + style: secondary + start: 19 + end: 51 + - source: '"javax.net.ssl.keyStorePassword"' + style: secondary + start: 19 + end: 51 + - source: ("javax.net.ssl.keyStorePassword", "password") + style: secondary + start: 18 + end: 64 + - source: '"password"' + style: secondary + start: 53 + end: 63 diff --git a/tests/kotlin/rsa-no-padding-kotlin-test.yml b/tests/kotlin/rsa-no-padding-kotlin-test.yml new file mode 100644 index 00000000..b5a3fc1a --- /dev/null +++ b/tests/kotlin/rsa-no-padding-kotlin-test.yml @@ -0,0 +1,9 @@ +id: rsa-no-padding-kotlin +valid: + - | + Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); +invalid: + - | + Cipher.getInstance("RSA/None/NoPadding"); + - | + Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml new file mode 100644 index 00000000..d66da67a --- /dev/null +++ b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-kotlin +valid: + - | + System.setProperty("javax.net.ssl.trustStorePassword", config); + System.setProperty("javax.net.ssl.keyStorePassword", config); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password");