Prevent usage of hardcoded keys

This product is not supported for your selected Datadog site. ().

Metadata

ID: apex-security/hardcoded-key

Language: Apex

Severity: Warning

Category: Security

CWE: 321

Description

This rule aims to prevent the use of hardcoded keys or initialization vectors (IVs) in cryptographic operations. Hardcoding sensitive cryptographic material directly in the source code poses significant security risks, as it makes keys easily discoverable and vulnerable to unauthorized access.

To comply with this rule, developers should generate encryption keys and IVs dynamically at runtime using secure methods or retrieve them securely from protected storage mechanisms. For example, instead of Blob key = Blob.valueOf('0000000000000000');, a compliant approach would be Blob key = Blob.valueOf(getRandomValue()); where getRandomValue() produces a secure, random key.

Non-Compliant Code Examples

class NotCompliant {

	public void notCompliant() {
		Blob data = Blob.valueOf('some data');
		Blob encrypted = Crypto.encrypt('AES128', '0000000000000000', 'Hardcoded IV 123', data);
    }
}

class NotCompliant {

	public void notCompliant() {
		Blob encryptedText = Blob.valueOf('Some encrypted cipher text');
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob key = Blob.valueOf('0000000000000000');
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}

class NotCompliant {

	public void compliant() {
		Blob encryptedCipherText = Blob.valueOf('some encrypted text');
		Blob hardCodedIV = Blob.valueOf('my IV');
		Blob key = Blob.valueOf(generateEncryptionKey());
		Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
	}
}

class NotCompliant {

	public void badCryptoDecryption() {
		Blob encryptedCipherText = Blob.valueOf('some text');
		Blob hardCodedIV = Blob.valueOf('hardcoded iv');
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob decryptedCipherText = Crypto.decrypt('AES128', hardCodedKey, hardCodedIV, encryptedCipherText);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, IV, data);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
		Blob key = Blob.valueOf(generateEncryptionKey());
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
	}
}

class NotCompliant {

	public void notCompliant() {
		Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
		Blob hardCodedKey = Blob.valueOf('0000000000000000');
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
    }
}

Compliant Code Examples

class Compliant {
	public void compliantExample() {
		Blob encryptedText = Blob.valueOf('foobar');
		Blob IV = Blob.valueOf(generateEncryptionIV());
		Blob key = Blob.valueOf(getRandomValue());
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}

class NotCompliant {

	public void goodCryptoEncryption() {
		Blob IV = Blob.valueOf(getRandomValue());
		Blob key = Blob.valueOf(getRandomValue());
		Blob data = Blob.valueOf('Data to be encrypted');
		Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
	}
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security