Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
Metadata
ID:java-security/avoid-null-cipher
Language: Java
Severity: Warning
Category: Security
Description
Do not use NullCipher as it does not transform the plaintext and the cipher text is identical to the text. Use real security measures for your application.
publicclassMain{publicstaticmain(String[]args){CipherdoNothingCihper=newNullCipher();CipherdoNothingCihper2=newjavax.crypto.NullCipher();}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.Cookie[]theCookies=request.getCookies();Stringparam="noCookieValueSupplied";if(theCookies!=null){for(javax.servlet.http.CookietheCookie:theCookies){if(theCookie.getName().equals("BenchmarkTest00073")){param=java.net.URLDecoder.decode(theCookie.getValue(),"UTF-8");break;}}}Stringbar;Stringguess="ABC";charswitchTarget=guess.charAt(1);// condition 'B', which is safe
// Simple case statement that assigns param to bar on conditions 'A', 'C', or 'D'
switch(switchTarget){case'A':bar=param;break;case'B':bar="bob";break;case'C':case'D':bar=param;break;default:bar="bob's your uncle";break;}try{java.security.MessageDigestmd=java.security.MessageDigest.getInstance("MD5");byte[]input={(byte)'?'};ObjectinputParam=bar;if(inputParaminstanceofString)input=((String)inputParam).getBytes();if(inputParaminstanceofjava.io.InputStream){byte[]strInput=newbyte[1000];inti=((java.io.InputStream)inputParam).read(strInput);if(i==-1){response.getWriter().println("This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");return;}input=java.util.Arrays.copyOf(strInput,i);}md.update(input);byte[]result=md.digest();java.io.FilefileTarget=newjava.io.File(newjava.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),"passwordFile.txt");java.io.FileWriterfw=newjava.io.FileWriter(fileTarget,true);// the true will append the new data
fw.write("hash_value="+org.owasp.esapi.ESAPI.encoder().encodeForBase64(result,true)+"\n");fw.close();response.getWriter().println("Sensitive value '"+org.owasp.esapi.ESAPI.encoder().encodeForHTML(newString(input))+"' hashed and stored<br/>");}catch(java.security.NoSuchAlgorithmExceptione){System.out.println("Problem executing hash - TestCase");thrownewServletException(e);}response.getWriter().println("Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed");}}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- java-security # Rules to enforce Java security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
