Prevent usage of hardcoded keys

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: apex-security/hardcoded-key

Language: Apex

Severity: Warning

Category: Security

CWE: 321

Description

This rule aims to prevent the use of hardcoded keys or initialization vectors (IVs) in cryptographic operations. Hardcoding sensitive cryptographic material directly in the source code poses significant security risks, as it makes keys easily discoverable and vulnerable to unauthorized access.

To comply with this rule, developers should generate encryption keys and IVs dynamically at runtime using secure methods or retrieve them securely from protected storage mechanisms. For example, instead of Blob key = Blob.valueOf('0000000000000000');, a compliant approach would be Blob key = Blob.valueOf(getRandomValue()); where getRandomValue() produces a secure, random key.

Non-Compliant Code Examples

class NotCompliant {

	public void notCompliant() {
		Blob data = Blob.valueOf('some data');
		Blob encrypted = Crypto.encrypt('AES128', '0000000000000000', 'Hardcoded IV 123', data);
    }
}

class NotCompliant {

	public void notCompliant() {
		Blob encryptedText = Blob.valueOf('Some encrypted cipher text');
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob key = Blob.valueOf('0000000000000000');
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}

class NotCompliant {

	public void compliant() {
		Blob encryptedCipherText = Blob.valueOf('some encrypted text');
		Blob hardCodedIV = Blob.valueOf('my IV');
		Blob key = Blob.valueOf(generateEncryptionKey());
		Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
	}
}

class NotCompliant {

	public void badCryptoDecryption() {
		Blob encryptedCipherText = Blob.valueOf('some text');
		Blob hardCodedIV = Blob.valueOf('hardcoded iv');
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob decryptedCipherText = Crypto.decrypt('AES128', hardCodedKey, hardCodedIV, encryptedCipherText);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, IV, data);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
		Blob key = Blob.valueOf(generateEncryptionKey());
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
    }
}

Compliant Code Examples

class Compliant {
	public void compliantExample() {
		Blob encryptedText = Blob.valueOf('foobar');
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob key = Blob.valueOf(getRandomValue());
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}

class NotCompliant {

	public void goodCryptoEncryption() {
		Blob IV = Blob.valueOf(getRandomValue());
		Blob key = Blob.valueOf(getRandomValue());
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security