-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checks for weak public-key cryptography #1736
Comments
Nice suggestion! |
presidentbeef
added a commit
that referenced
this issue
Oct 22, 2022
presidentbeef
added a commit
that referenced
this issue
Oct 23, 2022
The current checks don't appear to catch the following version of the weak RSA padding mode: public_key.encrypt(payload.to_json, rsa_padding_mode: "pkcs1") Should a check for that be added as well? |
Repository owner
locked and limited conversation to collaborators
May 9, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
Similar to check_weak_hash.rb and inspired by ruby/openssl#546 - it is quite easy to use RSA and other asymmetric algorithms insecurely. Some ideas that can be checked for:
Describe the solution you'd like
Flag the code like this blog post which specifically showcases CWE-780:
OpenSSL::PKey::RSA#public_encrypt
defaults to insecure PKCS#1 v1.5 padding. On modern OpenSSL gems (>= 3.0) this is a wrapper forOpenSSL::PKey::PKey#encrypt
, so effectively the following code is called:Both types of calls should be flagged.
Describe alternatives you've considered
N/A
The text was updated successfully, but these errors were encountered: