-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 259e7de
Showing
42 changed files
with
2,331 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| // Set no security authentication | ||
| public class Main { | ||
| public static void main() { | ||
| env = new Hashtable(); | ||
| env.put(Context.SECURITY_AUTHENTICATION, "none"); | ||
| // ruleid: anonymous-ldap-bind | ||
| dirContext = new InitialDirContext(env); | ||
| } | ||
| } | ||
|
|
||
| // Set security authentication after | ||
| public class Main { | ||
| public static void main() { | ||
| env = new Hashtable(); | ||
| env.put(Context.SECURITY_AUTHENTICATION, "none"); | ||
| env.put(Context.SECURITY_AUTHENTICATION, validContext); | ||
| // ok: anonymous-ldap-bind | ||
| dirContext = new InitialDirContext(env); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| import javax.servlet.http.Cookie; | ||
|
|
||
| // No setting of HttpOnly | ||
| public class Main{ | ||
| public static void main() { | ||
| Cookie cookie = new Cookie("email",userName); | ||
| // ruleid: cookie-missing-httponly | ||
| response.addCookie(cookie); | ||
| } | ||
| } | ||
|
|
||
| // Setting of HttpOnly | ||
| public class Main{ | ||
| public static void main() { | ||
| Cookie cookie = new Cookie("email",userName); | ||
| cookie.setSecure(true); | ||
| cookie.setHttpOnly(true); | ||
| // ok: cookie-missing-httponly | ||
| response.addCookie(cookie); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| import javax.servlet.http.Cookie; | ||
|
|
||
| // No setting of secure flag | ||
| public class Main{ | ||
| public static void main() { | ||
| Cookie cookie = new Cookie("userName",userName); | ||
| // ruleid: cookie-missing-secure | ||
| response.addCookie(cookie); | ||
| } | ||
| } | ||
|
|
||
| // Setting of secure flag | ||
| public class Main{ | ||
| public static void main() { | ||
| Cookie cookie = new Cookie("email",userName); | ||
| cookie.setSecure(true); | ||
| cookie.setHttpOnly(true); | ||
| // ok: cookie-missing-secure | ||
| response.addCookie(cookie); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| // Cipher modes with HMAC | ||
| public class Main { | ||
| public static void main() { | ||
| // ok: deprecated-cipher-mode | ||
| Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); | ||
| } | ||
|
|
||
| // Cipher modes without HMAC | ||
| public static void main2() { | ||
| // ruleid: deprecated-cipher-mode | ||
| Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding"); | ||
| c.init(javax.crypto.Cipher.ENCRYPT_MODE, publicKey); | ||
| // ruleid: deprecated-cipher-mode | ||
| Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding"); | ||
| } | ||
| public static Cipher getCipher() { | ||
| if (cipher == null) { | ||
| try { | ||
| // ruleid: deprecated-cipher-mode | ||
| cipher = javax.crypto.Cipher.getInstance( | ||
| "RSA/ECB/OAEPWithSHA-512AndMGF1Padding", "SunJCE"); | ||
| // Prepare the cipher to encrypt | ||
| java.security.KeyPairGenerator keyGen = | ||
| java.security.KeyPairGenerator.getInstance("RSA"); | ||
| keyGen.initialize(4096); | ||
| java.security.PublicKey publicKey = keyGen.genKeyPair().getPublic(); | ||
| cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, publicKey); | ||
| } catch (NoSuchAlgorithmException | ||
| | NoSuchProviderException | ||
| | NoSuchPaddingException | ||
| | InvalidKeyException e) { | ||
| e.printStackTrace(); | ||
| } | ||
| } | ||
| return cipher; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| // Use of DES | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: deprecated-des | ||
| Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } | ||
|
|
||
| // Use of AES | ||
| public class Main { | ||
| public static void main() { | ||
| // ok: deprecated-des | ||
| Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| // Standard use of MD5 | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: deprecated-md5 | ||
| MessageDigest md5Digest = MessageDigest.getInstance("MD5"); | ||
| // ruleid: deprecated-md5 | ||
| byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); | ||
| // ok: deprecated-md5 | ||
| MessageDigest sha256Digest = MessageDigest.getInstance("SHA256"); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| // Standard use of SHA-1 | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: deprecated-sha-1 | ||
| MessageDigest sha1Digest = MessageDigest.getInstance("SHA1"); | ||
| // ruleid: deprecated-sha-1 | ||
| byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes()); | ||
| // ok: deprecated-sha-1 | ||
| MessageDigest sha256Digest = MessageDigest.getInstance("SHA256"); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| import javax.net.ssl.SSLContext; | ||
|
|
||
| // Use of SSL | ||
| public class Main { | ||
| public static void main_insecure_1() { | ||
| // ruleid: deprecated-ssl | ||
| SSLContext sslContext = SSLContext.getInstance("SSL"); | ||
| } | ||
|
|
||
| public static void main_insecure_2() { | ||
| // https://stackoverflow.com/questions/29841610/will-sslcontext-getinstancetls-supports-tls-v1-1-and-tls-v1-2-also | ||
| // ruleid: deprecated-ssl | ||
| SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLS"); | ||
| } | ||
|
|
||
| public static void main_insecure_3() { | ||
| SSLContext sslContext = new SSLContext(); | ||
| // ruleid: deprecated-ssl | ||
| sslContext = sslContext.getInstance("TLS"); | ||
| } | ||
| public static void main_secure() { | ||
| // ok: deprecated-ssl | ||
| SSLContext sslContext = new SSLContext(); | ||
| sslContext = sslContext.getInstance("TLS1.2"); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| // Use of Triple DES | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: deprecated-tdes | ||
| Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } | ||
|
|
||
| // Use of AES | ||
| public class Main { | ||
| public static void main() { | ||
| // ok: deprecated-tdes | ||
| Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| // Properly configured API | ||
| public class Main { | ||
| public static void main() { | ||
| // ok: insecure-esapi-config | ||
| Encryptor.CipherText.useMAC=true; | ||
| Encryptor.EncryptionAlgorithm=AES; | ||
| // ok: insecure-esapi-config | ||
| Encryptor.CipherTransformation=AES/GCM/NoPadding; | ||
| // ok: insecure-esapi-config | ||
| Encryptor.cipher_modes.additional_allowed=null; | ||
| } | ||
| } | ||
|
|
||
| // Badly configured API | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: insecure-esapi-config | ||
| Encryptor.CipherText.useMAC=false; | ||
| Encryptor.EncryptionAlgorithm=AES; | ||
| // ruleid: insecure-esapi-config | ||
| Encryptor.CipherTransformation=AES/CBC/PKCS5Padding; | ||
| // ruleid: insecure-esapi-config | ||
| Encryptor.cipher_modes.additional_allowed=CBC; | ||
| } | ||
| } |
27 changes: 27 additions & 0 deletions
27
lang/insecure-hexadecimal-conversion/insecure-hexadecimal-conversion.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| // Usage of Integer.toHexString on a hash | ||
| public class Main { | ||
| public static void main() { | ||
| MessageDigest md = MessageDigest.getInstance("SHA-256"); | ||
| byte[] resultBytes = md.digest(password.getBytes("UTF-8")); | ||
|
|
||
| StringBuilder stringBuilder = new StringBuilder(); | ||
| for(byte b :resultBytes) { | ||
| // ruleid: insecure-hexadecimal-conversion | ||
| stringBuilder.append( Integer.toHexString( b & 0xFF ) ); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| // Usage of String.format on a hash | ||
| public class Main { | ||
| public static void main() { | ||
| MessageDigest md = MessageDigest.getInstance("SHA-256"); | ||
| byte[] resultBytes = md.digest(password.getBytes("UTF-8")); | ||
|
|
||
| StringBuilder stringBuilder = new StringBuilder(); | ||
| for(byte b :resultBytes) { | ||
| // ok: insecure-hexadecimal-conversion | ||
| stringBuilder.append( String.format( "%02X", b & 0xFF ) ); | ||
| } | ||
| } | ||
| } |
15 changes: 15 additions & 0 deletions
15
lang/insecure-implementation-hostnameverifier/insecure-implementation-hostnameverifier.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| // Class implements HostnameVerifier and returns true on verify | ||
| public class AllHosts implements HostnameVerifier { | ||
| public boolean verify(final String hostname, final SSLSession session) { | ||
| // ruleid: insecure-implementation-hostnameverifier | ||
| return true; | ||
| } | ||
| } | ||
|
|
||
| // Class does not implement HostnameVerifier | ||
| public class AllHosts { | ||
| public boolean verify(final String hostname, final SSLSession session) { | ||
| // ok: insecure-implementation-hostnameverifier | ||
| return true; | ||
| } | ||
| } |
20 changes: 20 additions & 0 deletions
20
lang/insecure-implementation-trustmanager/insecure-implementation-trustmanager.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| class TrustAllManager implements X509TrustManager { | ||
|
|
||
| // ruleid: insecure-implementation-trustmanager | ||
| @Override | ||
| public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { | ||
| //Trust any client connecting (no certificate validation) | ||
| } | ||
|
|
||
| // ruleid: insecure-implementation-trustmanager | ||
| @Override | ||
| public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { | ||
| //Trust any remote server (no certificate validation) | ||
| } | ||
|
|
||
| @Override | ||
| public X509Certificate[] getAcceptedIssuers() { | ||
| // ruleid: insecure-implementation-trustmanager | ||
| return null; | ||
| } | ||
| } |
37 changes: 37 additions & 0 deletions
37
...entry-poisoning-object-returning-search/ldap-entry-poisoning-object-returning-search.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| import javax.naming.directory.DirContext; | ||
| import javax.naming.directory.InitialDirContext; | ||
| import javax.naming.directory.SearchControls; | ||
|
|
||
| // Retobj flag set to true | ||
| public class Main { | ||
| public static void main(String query, String filter, String[] attributes) { | ||
| DirContext ctx = new InitialDirContext(); | ||
|
|
||
| ctx.search(query, filter, | ||
| // ruleid: ldap-entry-poisoning-object-returning-search | ||
| new SearchControls(2, 0, 0, attributes, | ||
| true, //Enable object deserialization if bound in directory | ||
| true)); | ||
|
|
||
| // ruleid: ldap-entry-poisoning-object-returning-search | ||
| SearchControls sc = new SearchControls(1, 0, 0, attributes, | ||
| false, //Enable object deserialization if bound in directory | ||
| true); | ||
| sc.setReturningObjFlag(true); | ||
| ctx.search(query, filter, sc); | ||
| } | ||
|
|
||
| // Retobj flag set to false | ||
| public static void main2(String query, String filter, String[] attributes) { | ||
| DirContext ctx = new InitialDirContext(); | ||
|
|
||
| ctx.search(query, filter, | ||
| // ok: ldap-entry-poisoning-object-returning-search | ||
| new SearchControls(2, 0, 0, attributes, | ||
| false, | ||
| true)); | ||
| } | ||
| } | ||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| // No padding on RSA | ||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: no-padding-rsa | ||
| Cipher c = Cipher.getInstance("RSA/NONE/NoPadding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } | ||
|
|
||
| // OAEP padding on RSA | ||
| public class Main { | ||
| public static void main() { | ||
| // ok: no-padding-rsa | ||
| Cipher c = Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); | ||
| c.init(Cipher.ENCRYPT_MODE, k, iv); | ||
| byte[] cipherText = c.doFinal(plainText); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| // Allow all origins | ||
| public class Main { | ||
| public void main() { | ||
| HttpServletResponse response = new HttpServletResponse(); | ||
| // ruleid: permissive-cors-policy | ||
| response.addHeader("Access-CoNtrol-Allow-Origin", "*"); | ||
| } | ||
| } | ||
|
|
||
| // Allow specific origin | ||
| public class Main { | ||
| public void main() { | ||
| HttpServletResponse response = new HttpServletResponse(); | ||
| // ok: permissive-cors-policy | ||
| response.addHeader("Access-ControL-Allow-Origin", "https://www.google.com"); | ||
| } | ||
| } |
12 changes: 12 additions & 0 deletions
12
lang/predictable-random-number-generator/predictable-random-number-generator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| // Import of the Random library when in a critical security context | ||
| import java.util.Random; | ||
| import java.security.SecureRandom; | ||
|
|
||
| public class Main { | ||
| public static void main() { | ||
| // ruleid: predictable-random-number-generator | ||
| Random random = new Random().nextInt(10000, 99999); | ||
| // ok: predictable-random-number-generator | ||
| Random random = new SecureRandom().nextInt(); | ||
| } | ||
| } |
Oops, something went wrong.