2020-06-30 12:49:37 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
Builtin functions
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
function myEncrypt($cipher, $key, $data, $mode, $iv, $options, $padding, $infile, $outfile, $recipcerts, $headers, $nonce, $ad, $pub_key_ids, $env_keys)
|
|
|
|
|
{
|
|
|
|
|
mcrypt_ecb ($cipher, $key, $data, $mode); // Sensitive
|
|
|
|
|
mcrypt_cfb($cipher, $key, $data, $mode, $iv); // Sensitive
|
|
|
|
|
mcrypt_cbc($cipher, $key, $data, $mode, $iv); // Sensitive
|
|
|
|
|
mcrypt_encrypt($cipher, $key, $data, $mode); // Sensitive
|
|
|
|
|
|
|
|
|
|
openssl_encrypt($data, $cipher, $key, $options, $iv); // Sensitive
|
|
|
|
|
openssl_public_encrypt($data, $crypted, $key, $padding); // Sensitive
|
|
|
|
|
openssl_pkcs7_encrypt($infile, $outfile, $recipcerts, $headers); // Sensitive
|
|
|
|
|
openssl_seal($data, $sealed_data, $env_keys, $pub_key_ids); // Sensitive
|
|
|
|
|
|
|
|
|
|
sodium_crypto_aead_aes256gcm_encrypt ($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_aead_chacha20poly1305_encrypt ($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_aead_chacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_aead_xchacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_box_seal ($data, $key); // Sensitive
|
|
|
|
|
sodium_crypto_box ($data, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_secretbox ($data, $nonce, $key); // Sensitive
|
|
|
|
|
sodium_crypto_stream_xor ($data, $nonce, $key); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
CakePHP
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Cake\Utility\Security;
|
|
|
|
|
|
|
|
|
|
function myCakeEncrypt($key, $data, $engine)
|
|
|
|
|
{
|
|
|
|
|
Security::encrypt($data, $key); // Sensitive
|
|
|
|
|
|
|
|
|
|
// Do not use custom made engines and remember that Mcrypt is deprecated.
|
|
|
|
|
Security::engine($engine); // Sensitive. Setting the encryption engine.
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
CodeIgniter
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
class EncryptionController extends CI_Controller
|
|
|
|
|
{
|
|
|
|
|
public function __construct()
|
|
|
|
|
{
|
|
|
|
|
parent::__construct();
|
|
|
|
|
$this->load->library('encryption');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function index()
|
|
|
|
|
{
|
|
|
|
|
$this->encryption->create_key(16); // Sensitive. Review the key length.
|
|
|
|
|
$this->encryption->initialize( // Sensitive.
|
|
|
|
|
array(
|
|
|
|
|
'cipher' => 'aes-256',
|
|
|
|
|
'mode' => 'ctr',
|
|
|
|
|
'key' => 'the key',
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
$this->encryption->encrypt("mysecretdata"); // Sensitive.
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
CraftCMS version 3
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Craft;
|
|
|
|
|
|
|
|
|
|
// This is similar to Yii as it used by CraftCMS
|
|
|
|
|
function craftEncrypt($data, $key, $password) {
|
|
|
|
|
Craft::$app->security->encryptByKey($data, $key); // Sensitive
|
|
|
|
|
Craft::$app->getSecurity()->encryptByKey($data, $key); // Sensitive
|
|
|
|
|
Craft::$app->security->encryptByPassword($data, $password); // Sensitive
|
|
|
|
|
Craft::$app->getSecurity()->encryptByPassword($data, $password); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Drupal 7 - Encrypt module
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
function drupalEncrypt() {
|
|
|
|
|
$encrypted_text = encrypt('some string to encrypt'); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Joomla
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Joomla\Crypt\CipherInterface;
|
|
|
|
|
|
|
|
|
|
abstract class MyCipher implements CipherInterface // Sensitive. Implementing custom cipher class
|
|
|
|
|
{}
|
|
|
|
|
|
|
|
|
|
function joomlaEncrypt() {
|
|
|
|
|
new Joomla\Crypt\Cipher_Sodium(); // Sensitive
|
|
|
|
|
new Joomla\Crypt\Cipher_Simple(); // Sensitive
|
|
|
|
|
new Joomla\Crypt\Cipher_Rijndael256(); // Sensitive
|
|
|
|
|
new Joomla\Crypt\Cipher_Crypto(); // Sensitive
|
|
|
|
|
new Joomla\Crypt\Cipher_Blowfish(); // Sensitive
|
|
|
|
|
new Joomla\Crypt\Cipher_3DES(); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Laravel
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Illuminate\Support\Facades\Crypt;
|
|
|
|
|
|
|
|
|
|
function myLaravelEncrypt($data)
|
|
|
|
|
{
|
|
|
|
|
Crypt::encryptString($data); // Sensitive
|
|
|
|
|
Crypt::encrypt($data); // Sensitive
|
|
|
|
|
// encrypt using the Laravel "encrypt" helper
|
|
|
|
|
encrypt($data); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
PHP-Encryption library
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Defuse\Crypto\Crypto;
|
|
|
|
|
use Defuse\Crypto\File;
|
|
|
|
|
|
|
|
|
|
function mypPhpEncryption($data, $key, $password, $inputFilename, $outputFilename, $inputHandle, $outputHandle) {
|
|
|
|
|
Crypto::encrypt($data, $key); // Sensitive
|
|
|
|
|
Crypto::encryptWithPassword($data, $password); // Sensitive
|
|
|
|
|
File::encryptFile($inputFilename, $outputFilename, $key); // Sensitive
|
|
|
|
|
File::encryptFileWithPassword($inputFilename, $outputFilename, $password); // Sensitive
|
|
|
|
|
File::encryptResource($inputHandle, $outputHandle, $key); // Sensitive
|
|
|
|
|
File::encryptResourceWithPassword($inputHandle, $outputHandle, $password); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
PhpSecLib
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
function myphpseclib($mode) {
|
|
|
|
|
new phpseclib\Crypt\RSA(); // Sensitive. Note: RSA can also be used for signing data.
|
|
|
|
|
new phpseclib\Crypt\AES(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\Rijndael(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\Twofish(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\Blowfish(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\RC4(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\RC2(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\TripleDES(); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\DES(); // Sensitive
|
|
|
|
|
|
|
|
|
|
new phpseclib\Crypt\AES($mode); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\Rijndael($mode); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\TripleDES($mode); // Sensitive
|
|
|
|
|
new phpseclib\Crypt\DES($mode); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Sodium Compat library
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
function mySodiumCompatEncrypt($data, $ad, $nonce, $key) {
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_aead_xchacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_encrypt($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_aead_aes256gcm_encrypt($data, $ad, $nonce, $key); // Sensitive
|
|
|
|
|
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_box($data, $nonce, $key); // Sensitive
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_secretbox($data, $nonce, $key); // Sensitive
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_box_seal($data, $key); // Sensitive
|
|
|
|
|
ParagonIE_Sodium_Compat::crypto_secretbox_xchacha20poly1305($data, $nonce, $key); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Yii version 2
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Yii;
|
|
|
|
|
|
|
|
|
|
// Similar to CraftCMS as it uses Yii
|
|
|
|
|
function YiiEncrypt($data, $key, $password) {
|
|
|
|
|
Yii::$app->security->encryptByKey($data, $key); // Sensitive
|
|
|
|
|
Yii::$app->getSecurity()->encryptByKey($data, $key); // Sensitive
|
|
|
|
|
Yii::$app->security->encryptByPassword($data, $password); // Sensitive
|
|
|
|
|
Yii::$app->getSecurity()->encryptByPassword($data, $password); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
Zend
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:49:37 +02:00
|
|
|
----
|
|
|
|
|
use Zend\Crypt\FileCipher;
|
|
|
|
|
use Zend\Crypt\PublicKey\DiffieHellman;
|
|
|
|
|
use Zend\Crypt\PublicKey\Rsa;
|
|
|
|
|
use Zend\Crypt\Hybrid;
|
|
|
|
|
use Zend\Crypt\BlockCipher;
|
|
|
|
|
|
|
|
|
|
function myZendEncrypt($key, $data, $prime, $options, $generator, $lib)
|
|
|
|
|
{
|
|
|
|
|
new FileCipher; // Sensitive. This is used to encrypt files
|
|
|
|
|
|
|
|
|
|
new DiffieHellman($prime, $generator, $key); // Sensitive
|
|
|
|
|
|
|
|
|
|
$rsa = Rsa::factory([ // Sensitive
|
|
|
|
|
'public_key' => 'public_key.pub',
|
|
|
|
|
'private_key' => 'private_key.pem',
|
|
|
|
|
'pass_phrase' => 'mypassphrase',
|
|
|
|
|
'binary_output' => false,
|
|
|
|
|
]);
|
|
|
|
|
$rsa->encrypt($data); // No issue raised here. The configuration of the Rsa object is the line to review.
|
|
|
|
|
|
|
|
|
|
$hybrid = new Hybrid(); // Sensitive
|
|
|
|
|
|
|
|
|
|
BlockCipher::factory($lib, $options); // Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2023-06-22 10:38:01 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
