Skip to content

Commit 40b87e6

Browse files
alexrfordalexrford
committed
Ruby: tests for rb/weak-cryptographic-algorithm
1 parent 446141a commit 40b87e6

File tree

3 files changed

+98
-0
lines changed

3 files changed

+98
-0
lines changed

ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
2+
| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES is broken or weak, and should not be used. |
3+
| broken_crypto.rb:12:8:12:43 | call to new | The cryptographic algorithm AES is broken or weak, and should not be used. |
4+
| broken_crypto.rb:16:1:16:18 | call to update | The cryptographic algorithm AES is broken or weak, and should not be used. |
5+
| broken_crypto.rb:28:1:28:35 | call to new | The cryptographic algorithm AES is broken or weak, and should not be used. |
6+
| broken_crypto.rb:37:1:37:33 | call to new | The cryptographic algorithm AES is broken or weak, and should not be used. |
7+
| broken_crypto.rb:42:1:42:33 | call to new | The cryptographic algorithm AES is broken or weak, and should not be used. |
8+
| broken_crypto.rb:47:1:47:33 | call to new | The cryptographic algorithm AES is broken or weak, and should not be used. |
9+
| broken_crypto.rb:52:1:52:29 | call to new | The cryptographic algorithm BF is broken or weak, and should not be used. |
10+
| broken_crypto.rb:57:1:57:32 | call to new | The cryptographic algorithm CAST5 is broken or weak, and should not be used. |
11+
| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
12+
| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
13+
| broken_crypto.rb:67:1:67:31 | call to new | The cryptographic algorithm IDEA is broken or weak, and should not be used. |
14+
| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
15+
| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
16+
| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
17+
| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
18+
| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |

ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/security/cwe-327/BrokenCryptoAlgorithm.ql

ruby/ql/test/query-tests/security/cwe-327/broken_crypto.rb

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
require 'openssl'
2+
3+
# BAD: creating a cipher using a weak scheme
4+
weak = OpenSSL::Cipher.new('des3')
5+
weak.encrypt
6+
weak.random_key
7+
# BAD: encrypting data using a weak cipher
8+
weak.update('foo')
9+
weak.final
10+
11+
# BAD: creating a cipher using a weak block mode
12+
weak = OpenSSL::Cipher::AES.new(128, 'ecb')
13+
weak.encrypt
14+
weak.random_key
15+
# BAD: encrypting data using a weak block mode
16+
weak.update('foo')
17+
weak.final
18+
19+
# GOOD: creating a cipher using a strong scheme
20+
strong = OpenSSL::Cipher.new('blowfish')
21+
strong.encrypt
22+
strong.random_key
23+
# GOOD: encrypting data using a strong cipher
24+
strong.update('bar')
25+
strong.final
26+
27+
# BAD: weak block mode
28+
OpenSSL::Cipher::AES.new(128, :ecb)
29+
# GOOD: strong encryption algorithm
30+
OpenSSL::Cipher::AES.new(128, 'cbc')
31+
# GOOD: strong encryption algorithm
32+
OpenSSL::Cipher::AES.new('128-cbc')
33+
34+
# GOOD: strong encryption algorithm
35+
OpenSSL::Cipher::AES128.new
36+
# BAD: weak block mode
37+
OpenSSL::Cipher::AES128.new 'ecb'
38+
39+
# GOOD: strong encryption algorithm
40+
OpenSSL::Cipher::AES192.new
41+
# BAD: weak block mode
42+
OpenSSL::Cipher::AES192.new 'ecb'
43+
44+
# GOOD: strong encryption algorithm
45+
OpenSSL::Cipher::AES256.new
46+
# BAD: weak block mode
47+
OpenSSL::Cipher::AES256.new 'ecb'
48+
49+
# GOOD: strong encryption algorithm
50+
OpenSSL::Cipher::BF.new
51+
# BAD: weak block mode
52+
OpenSSL::Cipher::BF.new 'ecb'
53+
54+
# GOOD: strong encryption algorithm
55+
OpenSSL::Cipher::CAST5.new
56+
# BAD: weak block mode
57+
OpenSSL::Cipher::CAST5.new 'ecb'
58+
59+
# BAD: weak encryption algorithm
60+
OpenSSL::Cipher::DES.new
61+
# BAD: weak encryption algorithm
62+
OpenSSL::Cipher::DES.new 'cbc'
63+
64+
# GOOD: strong encryption algorithm
65+
OpenSSL::Cipher::IDEA.new
66+
# BAD: weak block mode
67+
OpenSSL::Cipher::IDEA.new 'ecb'
68+
69+
# BAD: weak encryption algorithm
70+
OpenSSL::Cipher::RC2.new
71+
# BAD: weak encryption algorithm
72+
OpenSSL::Cipher::RC2.new 'ecb'
73+
74+
# BAD: weak encryption algorithm
75+
OpenSSL::Cipher::RC4.new
76+
# BAD: weak encryption algorithm
77+
OpenSSL::Cipher::RC4.new '40'
78+
# BAD: weak encryption algorithm
79+
OpenSSL::Cipher::RC4.new 'hmac-md5'

0 commit comments

Comments
 (0)