rspec/rules/S4787/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using System;
using System.Security.Cryptography;

namespace MyNamespace
{
    public class MyClass
    {
        public void Main()
        {
            Byte[] data = {1,1,1};

            RSA myRSA = RSA.Create();
            RSAEncryptionPadding padding = RSAEncryptionPadding.CreateOaep(HashAlgorithmName.SHA1);
            // Review all base RSA class' Encrypt/Decrypt calls
            myRSA.Encrypt(data, padding); // Sensitive
            myRSA.EncryptValue(data); // Sensitive
            myRSA.Decrypt(data, padding); // Sensitive
            myRSA.DecryptValue(data); // Sensitive

            RSACryptoServiceProvider myRSAC = new RSACryptoServiceProvider();
            // Review the use of any TryEncrypt/TryDecrypt and specific Encrypt/Decrypt of RSA subclasses.
            myRSAC.Encrypt(data, false); // Sensitive
            myRSAC.Decrypt(data, false); // Sensitive
            int written;
            myRSAC.TryEncrypt(data, Span<byte>.Empty, padding, out written); // Sensitive
            myRSAC.TryDecrypt(data, Span<byte>.Empty, padding, out written); // Sensitive

            byte[] rgbKey = {1,2,3};
            byte[] rgbIV = {4,5,6};
            SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
            // Review the creation of Encryptors from any SymmetricAlgorithm instance.
            rijn.CreateEncryptor(); // Sensitive
            rijn.CreateEncryptor(rgbKey, rgbIV); // Sensitive
            rijn.CreateDecryptor(); // Sensitive
            rijn.CreateDecryptor(rgbKey, rgbIV); // Sensitive
        }

        public class MyCrypto : System.Security.Cryptography.AsymmetricAlgorithm // Sensitive
        { 
            // ...
        }

        public class MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm // Sensitive 
        {
            // ...
        }
    }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 8 Oct 2018, 18:14:56 Nicolas Harraudeau wrote:
*Implementation details*:

Note that the example does not list all RSA subclasses. RSA subclasses have additional encryption and decryption methods which are not present in the parent class.


See https://docs.microsoft.com/en-gb/dotnet/standard/security/encrypting-data[.Net documentation].


=== on 6 Nov 2018, 18:57:56 Duncan Pocklington wrote:
\[~nicolas.harraudeau] a couple of questions:

* _MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm_: _MyCrypto2_ will have to provide implementations of _CreateEncryptor_ and _CreateDecryptor_, and any use of those methods will be flagged as issues. What's the reason for also flagging class definitions that inherit from _SymmetricAlgorithms_? Is it because implementing your own encrypting algorithms isn't generally a good idea? If so, it would be worth adding that as a comment in the Sensitive Code Example.
* same for _AsymmetricAlgorithm_, except in this case the answer might be different since the base class doesn't define any methods that we are tracking

=== on 7 Nov 2018, 09:57:32 Nicolas Harraudeau wrote:
\[~duncan.pocklington] As said IRL: for both classes it is generally a bad practice to define your own implementations. I'll update the RSPEC right away.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using System;`
			`using System.Security.Cryptography;`

			`namespace MyNamespace`
			`{`
			`public class MyClass`
			`{`
			`public void Main()`
			`{`
			`Byte[] data = {1,1,1};`

			`RSA myRSA = RSA.Create();`
			`RSAEncryptionPadding padding = RSAEncryptionPadding.CreateOaep(HashAlgorithmName.SHA1);`
			`// Review all base RSA class' Encrypt/Decrypt calls`
			`myRSA.Encrypt(data, padding); // Sensitive`
			`myRSA.EncryptValue(data); // Sensitive`
			`myRSA.Decrypt(data, padding); // Sensitive`
			`myRSA.DecryptValue(data); // Sensitive`

			`RSACryptoServiceProvider myRSAC = new RSACryptoServiceProvider();`
			`// Review the use of any TryEncrypt/TryDecrypt and specific Encrypt/Decrypt of RSA subclasses.`
			`myRSAC.Encrypt(data, false); // Sensitive`
			`myRSAC.Decrypt(data, false); // Sensitive`
			`int written;`
			`myRSAC.TryEncrypt(data, Span<byte>.Empty, padding, out written); // Sensitive`
			`myRSAC.TryDecrypt(data, Span<byte>.Empty, padding, out written); // Sensitive`

			`byte[] rgbKey = {1,2,3};`
			`byte[] rgbIV = {4,5,6};`
			`SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();`
			`// Review the creation of Encryptors from any SymmetricAlgorithm instance.`
			`rijn.CreateEncryptor(); // Sensitive`
			`rijn.CreateEncryptor(rgbKey, rgbIV); // Sensitive`
			`rijn.CreateDecryptor(); // Sensitive`
			`rijn.CreateDecryptor(rgbKey, rgbIV); // Sensitive`
			`}`

			`public class MyCrypto : System.Security.Cryptography.AsymmetricAlgorithm // Sensitive`
			`{`
			`// ...`
			`}`

			`public class MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm // Sensitive`
			`{`
			`// ...`
			`}`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 8 Oct 2018, 18:14:56 Nicolas Harraudeau wrote:`
			`Implementation details:`

			`Note that the example does not list all RSA subclasses. RSA subclasses have additional encryption and decryption methods which are not present in the parent class.`


			`See https://docs.microsoft.com/en-gb/dotnet/standard/security/encrypting-data[.Net documentation].`



			`=== on 6 Nov 2018, 18:57:56 Duncan Pocklington wrote:`
			`\[~nicolas.harraudeau] a couple of questions:`

			`* _MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm_: _MyCrypto2_ will have to provide implementations of _CreateEncryptor_ and _CreateDecryptor_, and any use of those methods will be flagged as issues. What's the reason for also flagging class definitions that inherit from _SymmetricAlgorithms_? Is it because implementing your own encrypting algorithms isn't generally a good idea? If so, it would be worth adding that as a comment in the Sensitive Code Example.`
			`* same for _AsymmetricAlgorithm_, except in this case the answer might be different since the base class doesn't define any methods that we are tracking`

			`=== on 7 Nov 2018, 09:57:32 Nicolas Harraudeau wrote:`
			`\[~duncan.pocklington] As said IRL: for both classes it is generally a bad practice to define your own implementations. I'll update the RSPEC right away.`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`