Update main.java #1
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| } | ||
| } | ||
|
|
||
| class Connector8 { | ||
| void connect(HttpServletRequest req){ | ||
| java.nio.file.Files.createTempDirectory("file"); | ||
| java.nio.file.Files.createTempDirectory("file" ); |
There was a problem hiding this comment.
File Creation in Publicly Shared Directories
File: main.java | Checkov ID: CKV3_SAST_24
Description
CWE: CWE-377: Insecure Temporary File
OWASP: A01:2021 - Broken Access Control
This policy aims to prevent applications from creating files in publicly shared directories such as /tmp or /var/tmp on Linux-based systems. These directories are generally writable by any user, making them susceptible to race condition attacks involving filenames. A successful attack could lead to unauthorized file access, modification, corruption, or deletion. The risk escalates if the application operates with elevated permissions.
Example of violating code:
import java.nio.file.Paths;
import java.io.File;
public class InsecureFileCreation {
public void createFile() {
Paths.get("/tmp/insecureFile");
new File("/var/tmp/insecureFile");
}
}This code is problematic because it creates files in publicly shared directories, exposing the application to risks associated with insecure temporary files.
| } | ||
| } | ||
|
|
||
| class Connector4 { | ||
| @javax.jws.WebMethod | ||
| void connect(HttpServletRequest req){ | ||
| javax.crypto.Cipher.getInstance("DES/CBC/NoPadding"); | ||
| javax.crypto.Cipher.getInstance("DES/CBC/NoPadding" ); |
There was a problem hiding this comment.
Unsafe DES algorithm used
File: main.java | Checkov ID: CKV3_SAST_17
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy is warning against the use of the Data Encryption Standard (DES) encryption algorithm in Java applications. DES, including its variant Triple DES (3DES or DESede), has been found to be insecure against sufficiently equipped attackers due to its relatively small key size. NIST (the National Institute of Standards and Technology) recommends using the AES (Advanced Encryption Standard) block cipher instead.
Here's an example of violating code:
import javax.crypto.Cipher;
public class Encryption {
public byte[] encryptData(byte[] data, SecretKey key) throws Exception {
Cipher cipher = Cipher.getInstance("DES");
cipher.init(Cipher.ENCRYPT_MODE, key);
return cipher.doFinal(data);
}
}In this code snippet, the Cipher.getInstance method is called with "DES" as an argument, indicating that DES encryption is being used.
| Keygen keygen = javax.crypto.KeyGenerator.getInstance("Blowfish"); | ||
| keygen.init(100); | ||
| Keygen keygen = javax.crypto.KeyGenerator.getInstance("Blowfish" ); | ||
| keygen.init(100 ); |
There was a problem hiding this comment.
Encryption keys with less than 128 bits
File: main.java | Checkov ID: CKV3_SAST_18
Description
CWE: CWE-326: Inadequate Encryption Strength
OWASP: A02:2021 - Cryptographic Failures
The policy is cautioning against the use of small key sizes for encryption, in particular with the Blowfish encryption algorithm. The key size should be at least 128 bits to ensure sufficient resistance against brute force attacks, where an attacker systematically checks all possible keys to decrypt the encrypted data.
An example of violating code could be:
import javax.crypto.KeyGenerator;
public class KeyGen {
public void generateKey() throws Exception {
KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
keyGen.init(64); // Violates the policy.
}
}In this code snippet, the KeyGenerator.init method is called with 64, indicating a 64-bit key size is being used for Blowfish, which is smaller than the recommended 128 bits.
| } | ||
| } | ||
|
|
||
| public class WeakNightVoter implements AccessDecisionVoter { | ||
| @Override | ||
| public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant | ||
| Calendar calendar = Calendar.getInstance(); | ||
| public int vote(Authentication authentication, Object object, Collection collection) { //Noncompliant |
There was a problem hiding this comment.
Authorization is not robust
File: main.java | Checkov ID: CKV3_SAST_26
Description
CWE: CWE-285: Improper Authorization
OWASP: A01:2021 - Broken Access Control
This policy aims to ensure that the authorization process within an application is robust and not subject to vulnerabilities. Authorization decisions should be robust and depend on strong variables such as user authentication, roles, privileges, location, and time of access.
Example of violating code:
public class WeakVoter implements AccessDecisionVoter {
@Override
public int vote(SecurityContext context) {
// Weak decision
return ACCESS_ABSTAIN;
}
}This code is problematic because it abstains from making a strong authorization decision, potentially allowing unauthorized access.
| @@ -20,7 +20,7 @@ public class HttpRequestDebugFilter implements Filter { | |||
| public void doFilter(ServletRequest request) throws IOException, | |||
| ServletException { | |||
| if (request instanceof HttpServletRequest) { | |||
| javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding") | |||
| javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding" ) | |||
There was a problem hiding this comment.
Integrity of the data during transmission is not being verified
File: main.java | Checkov ID: CKV3_SAST_12
Description
CWE: CWE-353: Missing Support for Integrity Check
OWASP: A08:2021 - Software and Data Integrity Failures
This violation is indicating that the cipher being used for encryption does not provide an integrity check to validate that the encrypted data has not been tampered with. Specifically, it flags the use of AES and DES (or triple DES) in ECB (Electronic Codebook) mode and the use of CBC (Cipher Block Chaining) mode with PKCS5 padding, which do not inherently provide integrity checks.
When these ciphers are used without an additional mechanism to ensure the integrity of the data, it makes the encrypted data susceptible to alterations by an adversary without detection, presenting a security concern.
Example violating code:
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
public class Main {
public static void main(String[] args) throws Exception {
SecretKeySpec key = new SecretKeySpec("1234567812345678".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
}
}In the example above, AES encryption with CBC mode and PKCS5Padding is being used, which doesn't provide an integrity check on the encrypted data.
| @@ -20,7 +20,7 @@ public class HttpRequestDebugFilter implements Filter { | |||
| public void doFilter(ServletRequest request) throws IOException, | |||
| ServletException { | |||
| if (request instanceof HttpServletRequest) { | |||
| javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding") | |||
| javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding" ) | |||
There was a problem hiding this comment.
Use of a broken or risky cryptographic algorithm
File: main.java | Checkov ID: CKV3_SAST_148
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy detects the use of a broken or risky cryptographic algorithm in Java code. The use of these algorithms can introduce vulnerabilities that could be exploited by attackers to tamper with ciphertext and compromise the security of the system.
Vulnerable code example:
Cipher.getInstance("DES");The above code example uses the "DES" cryptographic algorithm, which is considered weak and vulnerable to attack. It does not provide built-in message integrity, making it easier for an adversary to tamper with the ciphertext and potentially decrypt the data.
| } | ||
| } | ||
|
|
||
| class Connector4 { | ||
| @javax.jws.WebMethod | ||
| void connect(HttpServletRequest req){ | ||
| javax.crypto.Cipher.getInstance("DES/CBC/NoPadding"); | ||
| javax.crypto.Cipher.getInstance("DES/CBC/NoPadding" ); |
There was a problem hiding this comment.
Use of a broken or risky cryptographic algorithm
File: main.java | Checkov ID: CKV3_SAST_148
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy detects the use of a broken or risky cryptographic algorithm in Java code. The use of these algorithms can introduce vulnerabilities that could be exploited by attackers to tamper with ciphertext and compromise the security of the system.
Vulnerable code example:
Cipher.getInstance("DES");The above code example uses the "DES" cryptographic algorithm, which is considered weak and vulnerable to attack. It does not provide built-in message integrity, making it easier for an adversary to tamper with the ciphertext and potentially decrypt the data.
| Cookie cook = new Cookie("cookie"); | ||
| cook.setMaxAge(31536000); | ||
| Cookie cook = new Cookie("cookie" ); | ||
| cook.setMaxAge(31536000 ); |
There was a problem hiding this comment.
Cookie stored for an extended period of time
File: main.java | Checkov ID: CKV3_SAST_20
Description
CWE: CWE-539: Information Exposure Through Persistent Cookies
OWASP: A04:2021 - Insecure Design
This policy refers to the practice of setting cookies to persist for an extended period of time. The value of 31536000 seconds corresponds to one year. If a cookie, especially one containing sensitive data, is set to persist for a year or more, it can increase the risk of data exposure or account compromise, especially if the user's system is compromised or the cookie is otherwise mishandled.
Here is an example of a violating code:
import javax.servlet.http.Cookie;
public class PersistentCookieCreator {
public void createCookie(javax.servlet.http.HttpServletResponse response) {
Cookie myCookie = new Cookie("user", "john");
myCookie.setMaxAge(31536000); // Cookie is set to persist for one year
response.addCookie(myCookie);
}
}In the above code, a new cookie is being created and the maximum age of the cookie is being set to one year. This means the cookie will persist for that duration, even if the user closes the browser or restarts the system.
| @@ -30,7 +30,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |||
|
|
|||
| @Override | |||
| protected void configure(HttpSecurity http) throws Exception { | |||
| http.csrf().ignoringAntMatchers("/route/fre"); | |||
| http.csrf().ignoringAntMatchers("/route/fre" ); | |||
There was a problem hiding this comment.
CSRF is Disabled
File: main.java | Checkov ID: CKV3_SAST_25
Description
CWE: CWE-352: Cross-site forgery
OWASP: A01:2021 - Broken Access Control
This policy aims to prevent the disabling of Cross-Site Request Forgery (CSRF) protection in web applications. CSRF is an attack that tricks the victim into submitting a malicious request. Since web browsers automatically include cookies, the actions can be authenticated and sensitive if CSRF protection is disabled.
Example of violating code:
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
public class SecurityConfig {
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// OR
http.csrf().ignoringAntMatchers("/api/*");
}
}This code is problematic because it disables CSRF protection entirely or for specific URL patterns, leaving the application vulnerable to CSRF attacks.
No description provided.