Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not hard code encryption key #2987

Merged
merged 4 commits into from Oct 30, 2019
Merged

Do not hard code encryption key #2987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4b720f2
Merge pull request #35 from dotnet/2.9.x
LLLXXXCCC Oct 21, 2019
3a1d5a0
Remove constant char array out of SourceInfos.
LingxiaChen Oct 30, 2019
fe462a4
Merge branch '2.9.x' into DoNotHardCodeEncryptionKey
LLLXXXCCC Oct 30, 2019
f8fdccd
Fix formatting error.
LingxiaChen Oct 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
42 changes: 21 additions & 21 deletions src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs
View file
Open in desktop
Expand Up @@ -116,27 +116,6 @@ public void TestMethod(byte[] bytes, string path)
GetCSharpResultAt(12, 9, 10, 38, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)"));
}

[Fact]
public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_Diagnostic()
{
VerifyCSharp(@"
using System.IO;
using System.Text;
using System.Security.Cryptography.X509Certificates;

class TestClass
{
public void TestMethod(byte[] bytes, string path)
{
char[] chars = new char[] {'1', '2', '3'};
new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0);
File.WriteAllBytes(path, bytes);
new X509Certificate(path);
}
}",
GetCSharpResultAt(13, 9, 10, 24, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "char[]", "void TestClass.TestMethod(byte[] bytes, string path)"));
}

[Fact]
public void Test_Sink_X509Certificate_WithStringAndSecureStringAndX509KeyStorageFlagsParameters_Diagnostic()
{
Expand Down Expand Up @@ -383,6 +362,27 @@ public void TestMethod(byte[] bytes, string path)
}");
}

[Fact]
public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_NoDiagnostic()
{
VerifyCSharp(@"
using System.IO;
using System.Text;

using System.Security.Cryptography.X509Certificates;

class TestClass
{
public void TestMethod(byte[] bytes, string path)
{
char[] chars = new char[] {'1', '2', '3'};
new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0);
File.WriteAllBytes(path, bytes);
new X509Certificate(path);
}
}");
}

protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer()
{
return new DoNotHardCodeCertificate();
Expand Down
39 changes: 19 additions & 20 deletions src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs
View file
Open in desktop
Expand Up @@ -155,26 +155,6 @@ public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
GetCSharpResultAt(11, 9, 9, 38, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)"));
}

[Fact]
public void Test_ASCIIEncodingGetBytesWithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_Diagnostic()
{
VerifyCSharp(@"
using System.Text;
using System.Security.Cryptography;

class TestClass
{
public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
{
char[] chars = new char[] {'1', '2', '3'};
new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0);
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
rijn.CreateEncryptor(key, someOtherBytesForIV);
}
}",
GetCSharpResultAt(12, 9, 9, 24, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "char[]", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInStringWithVariable_CreateEncryptor_Diagnostic()
{
Expand Down Expand Up @@ -668,6 +648,25 @@ public void TestMethod(char[] chars, byte[] key, byte[] someOtherBytesForIV)
}");
}

[Fact]
public void Test_ASCIIEncodingGetBytesWithConstantCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_NoDiagnostic()
{
VerifyCSharp(@"
using System.Text;
using System.Security.Cryptography;

class TestClass
{
public void TestMethod(byte[] key, byte[] someOtherBytesForIV)
{
char[] chars = new char[] {'1', '2', '3'};
new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0);
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
rijn.CreateEncryptor(key, someOtherBytesForIV);
}
}");
}

[Fact]
public void Test_ElementTypeIsTypeParameter_NoDiagnostic()
{
Expand Down
7 changes: 0 additions & 7 deletions ...Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs
View file
Open in desktop
Expand Up @@ -96,13 +96,6 @@ static HardcodedBytesSources()
taintedMethodsNeedsPointsToAnalysis: null,
taintedMethodsNeedsValueContentAnalysis: null,
taintConstantArray: true);
builder.AddSourceInfo(
WellKnownTypeNames.SystemChar,
isInterface: false,
taintedProperties: null,
taintedMethodsNeedsPointsToAnalysis: null,
taintedMethodsNeedsValueContentAnalysis: null,
taintConstantArray: true);

SourceInfos = builder.ToImmutableAndFree();
}
Expand Down