Encrypting data is security-sensitive. It has led in the past to the following vulnerabilities:
Proper encryption requires both the encryption algorithm and the key to be strong. Obviously the private key needs to remain secret and be renewed regularly. However these are not the only means to defeat or weaken an encryption.
This rule flags function calls that initiate encryption/decryption.
You are at risk if you answered yes to any of those questions.
Builtin functions
function myEncrypt($cipher, $key, $data, $mode, $iv, $options, $padding, $infile, $outfile, $recipcerts, $headers, $nonce, $ad, $pub_key_ids, $env_keys)
{
mcrypt_ecb ($cipher, $key, $data, $mode); // Sensitive
mcrypt_cfb($cipher, $key, $data, $mode, $iv); // Sensitive
mcrypt_cbc($cipher, $key, $data, $mode, $iv); // Sensitive
mcrypt_encrypt($cipher, $key, $data, $mode); // Sensitive
openssl_encrypt($data, $cipher, $key, $options, $iv); // Sensitive
openssl_public_encrypt($data, $crypted, $key, $padding); // Sensitive
openssl_pkcs7_encrypt($infile, $outfile, $recipcerts, $headers); // Sensitive
openssl_seal($data, $sealed_data, $env_keys, $pub_key_ids); // Sensitive
sodium_crypto_aead_aes256gcm_encrypt ($data, $ad, $nonce, $key); // Sensitive
sodium_crypto_aead_chacha20poly1305_encrypt ($data, $ad, $nonce, $key); // Sensitive
sodium_crypto_aead_chacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Sensitive
sodium_crypto_aead_xchacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Sensitive
sodium_crypto_box_seal ($data, $key); // Sensitive
sodium_crypto_box ($data, $nonce, $key); // Sensitive
sodium_crypto_secretbox ($data, $nonce, $key); // Sensitive
sodium_crypto_stream_xor ($data, $nonce, $key); // Sensitive
}
CakePHP
use Cake\Utility\Security;
function myCakeEncrypt($key, $data, $engine)
{
Security::encrypt($data, $key); // Sensitive
// Do not use custom made engines and remember that Mcrypt is deprecated.
Security::engine($engine); // Sensitive. Setting the encryption engine.
}
CodeIgniter
class EncryptionController extends CI_Controller
{
public function __construct()
{
parent::__construct();
$this->load->library('encryption');
}
public function index()
{
$this->encryption->create_key(16); // Sensitive. Review the key length.
$this->encryption->initialize( // Sensitive.
array(
'cipher' => 'aes-256',
'mode' => 'ctr',
'key' => 'the key',
)
);
$this->encryption->encrypt("mysecretdata"); // Sensitive.
}
}
CraftCMS version 3
use Craft;
// This is similar to Yii as it used by CraftCMS
function craftEncrypt($data, $key, $password) {
Craft::$app->security->encryptByKey($data, $key); // Sensitive
Craft::$app->getSecurity()->encryptByKey($data, $key); // Sensitive
Craft::$app->security->encryptByPassword($data, $password); // Sensitive
Craft::$app->getSecurity()->encryptByPassword($data, $password); // Sensitive
}
Drupal 7 - Encrypt module
function drupalEncrypt() {
$encrypted_text = encrypt('some string to encrypt'); // Sensitive
}
Joomla
use Joomla\Crypt\CipherInterface;
abstract class MyCipher implements CipherInterface // Sensitive. Implementing custom cipher class
{}
function joomlaEncrypt() {
new Joomla\Crypt\Cipher_Sodium(); // Sensitive
new Joomla\Crypt\Cipher_Simple(); // Sensitive
new Joomla\Crypt\Cipher_Rijndael256(); // Sensitive
new Joomla\Crypt\Cipher_Crypto(); // Sensitive
new Joomla\Crypt\Cipher_Blowfish(); // Sensitive
new Joomla\Crypt\Cipher_3DES(); // Sensitive
}
}
Laravel
use Illuminate\Support\Facades\Crypt;
function myLaravelEncrypt($data)
{
Crypt::encryptString($data); // Sensitive
Crypt::encrypt($data); // Sensitive
// encrypt using the Laravel "encrypt" helper
encrypt($data); // Sensitive
}
PHP-Encryption library
use Defuse\Crypto\Crypto;
use Defuse\Crypto\File;
function mypPhpEncryption($data, $key, $password, $inputFilename, $outputFilename, $inputHandle, $outputHandle) {
Crypto::encrypt($data, $key); // Sensitive
Crypto::encryptWithPassword($data, $password); // Sensitive
File::encryptFile($inputFilename, $outputFilename, $key); // Sensitive
File::encryptFileWithPassword($inputFilename, $outputFilename, $password); // Sensitive
File::encryptResource($inputHandle, $outputHandle, $key); // Sensitive
File::encryptResourceWithPassword($inputHandle, $outputHandle, $password); // Sensitive
}
PhpSecLib
function myphpseclib($mode) {
new phpseclib\Crypt\RSA(); // Sensitive. Note: RSA can also be used for signing data.
new phpseclib\Crypt\AES(); // Sensitive
new phpseclib\Crypt\Rijndael(); // Sensitive
new phpseclib\Crypt\Twofish(); // Sensitive
new phpseclib\Crypt\Blowfish(); // Sensitive
new phpseclib\Crypt\RC4(); // Sensitive
new phpseclib\Crypt\RC2(); // Sensitive
new phpseclib\Crypt\TripleDES(); // Sensitive
new phpseclib\Crypt\DES(); // Sensitive
new phpseclib\Crypt\AES($mode); // Sensitive
new phpseclib\Crypt\Rijndael($mode); // Sensitive
new phpseclib\Crypt\TripleDES($mode); // Sensitive
new phpseclib\Crypt\DES($mode); // Sensitive
}
Sodium Compat library
function mySodiumCompatEncrypt($data, $ad, $nonce, $key) {
ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_aead_xchacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_encrypt($data, $ad, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_aead_aes256gcm_encrypt($data, $ad, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_box($data, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_secretbox($data, $nonce, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_box_seal($data, $key); // Sensitive
ParagonIE_Sodium_Compat::crypto_secretbox_xchacha20poly1305($data, $nonce, $key); // Sensitive
}
Yii version 2
use Yii;
// Similar to CraftCMS as it uses Yii
function YiiEncrypt($data, $key, $password) {
Yii::$app->security->encryptByKey($data, $key); // Sensitive
Yii::$app->getSecurity()->encryptByKey($data, $key); // Sensitive
Yii::$app->security->encryptByPassword($data, $password); // Sensitive
Yii::$app->getSecurity()->encryptByPassword($data, $password); // Sensitive
}
Zend
use Zend\Crypt\FileCipher;
use Zend\Crypt\PublicKey\DiffieHellman;
use Zend\Crypt\PublicKey\Rsa;
use Zend\Crypt\Hybrid;
use Zend\Crypt\BlockCipher;
function myZendEncrypt($key, $data, $prime, $options, $generator, $lib)
{
new FileCipher; // Sensitive. This is used to encrypt files
new DiffieHellman($prime, $generator, $key); // Sensitive
$rsa = Rsa::factory([ // Sensitive
'public_key' => 'public_key.pub',
'private_key' => 'private_key.pem',
'pass_phrase' => 'mypassphrase',
'binary_output' => false,
]);
$rsa->encrypt($data); // No issue raised here. The configuration of the Rsa object is the line to review.
$hybrid = new Hybrid(); // Sensitive
BlockCipher::factory($lib, $options); // Sensitive
}
This rule is deprecated; use {rule:php:S4426}, {rule:php:S5542}, {rule:php:S5547} instead.