Merge pull request #2987 from LLLXXXCCC/DoNotHardCodeEncryptionKey

Do not hard code encryption key
dotnet · Oct 30, 2019 · 89f1193 · 89f1193
2 parents e410fcd + f8fdccd
commit 89f1193
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 48 deletions.
diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs
@@ -116,27 +116,6 @@ public void TestMethod(byte[] bytes, string path)
             GetCSharpResultAt(12, 9, 10, 38, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)"));
         }
 
-        [Fact]
-        public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_Diagnostic()
-        {
-            VerifyCSharp(@"
-using System.IO;
-using System.Text;
-using System.Security.Cryptography.X509Certificates;
-
-class TestClass
-{
-    public void TestMethod(byte[] bytes, string path)
-    {
-        char[] chars = new char[] {'1', '2', '3'};
-        new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0);
-        File.WriteAllBytes(path, bytes);
-        new X509Certificate(path);
-    }
-}",
-            GetCSharpResultAt(13, 9, 10, 24, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "char[]", "void TestClass.TestMethod(byte[] bytes, string path)"));
-        }
-
         [Fact]
         public void Test_Sink_X509Certificate_WithStringAndSecureStringAndX509KeyStorageFlagsParameters_Diagnostic()
         {
@@ -383,6 +362,27 @@ public void TestMethod(byte[] bytes, string path)
 }");
         }
 
+        [Fact]
+        public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_NoDiagnostic()
+        {
+            VerifyCSharp(@"
+using System.IO;
+using System.Text;
+
+using System.Security.Cryptography.X509Certificates;
+
+class TestClass
+{
+    public void TestMethod(byte[] bytes, string path)
+    {
+        char[] chars = new char[] {'1', '2', '3'};
+        new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0);
+        File.WriteAllBytes(path, bytes);
+        new X509Certificate(path);
+    }
+}");
+        }
+
         protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer()
         {
             return new DoNotHardCodeCertificate();

diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs
@@ -155,26 +155,6 @@ public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
             GetCSharpResultAt(11, 9, 9, 38, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)"));
         }
 
-        [Fact]
-        public void Test_ASCIIEncodingGetBytesWithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_Diagnostic()
-        {
-            VerifyCSharp(@"
-using System.Text;
-using System.Security.Cryptography;
-
-class TestClass
-{
-    public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
-    {
-        char[] chars = new char[] {'1', '2', '3'};
-        new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0);
-        SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
-        rijn.CreateEncryptor(key, someOtherBytesForIV);
-    }
-}",
-            GetCSharpResultAt(12, 9, 9, 24, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "char[]", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)"));
-        }
-
         [Fact]
         public void Test_HardcodedInStringWithVariable_CreateEncryptor_Diagnostic()
         {
@@ -668,6 +648,25 @@ public void TestMethod(char[] chars, byte[] key, byte[] someOtherBytesForIV)
 }");
         }
 
+        [Fact]
+        public void Test_ASCIIEncodingGetBytesWithConstantCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_NoDiagnostic()
+        {
+            VerifyCSharp(@"
+using System.Text;
+using System.Security.Cryptography;
+
+class TestClass
+{
+    public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
+    {
+        char[] chars = new char[] {'1', '2', '3'};
+        new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0);
+        SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
+        rijn.CreateEncryptor(key, someOtherBytesForIV);
+    }
+}");
+        }
+
         [Fact]
         public void Test_ElementTypeIsTypeParameter_NoDiagnostic()
         {

diff --git a/...Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs b/...Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs
@@ -96,13 +96,6 @@ static HardcodedBytesSources()
                 taintedMethodsNeedsPointsToAnalysis: null,
                 taintedMethodsNeedsValueContentAnalysis: null,
                 taintConstantArray: true);
-            builder.AddSourceInfo(
-                WellKnownTypeNames.SystemChar,
-                isInterface: false,
-                taintedProperties: null,
-                taintedMethodsNeedsPointsToAnalysis: null,
-                taintedMethodsNeedsValueContentAnalysis: null,
-                taintConstantArray: true);
 
             SourceInfos = builder.ToImmutableAndFree();
         }