Skip to content

Latest commit

 

History

History
172 lines (134 loc) · 9.93 KB

8-CODEREVIEW_UTILS.md

File metadata and controls

172 lines (134 loc) · 9.93 KB

🔬 Technical hints about code review

📡 Note: Use the TOC provided by the GitHub MD file rendering named Outline.

🏡 Back to home.

📖 Methodology for code review.

Information about cryptography

🤝 After a discussion, with my colleague Mr. Eric Brier (https://www.linkedin.com/in/ericbrier), regarding question that I had about cryptography in a quantum computing context, he kindly provided me the following advices:

  • For symmetric ciphering:
    • Use AES in mode GCM with a key of size of 256 bits because quantum computing (via Grover's algorithm) will divide the strength of the size of the key by 2. So, 256 bits are currently enough in 2024 to be resilient to quantum computing.
  • For asymmetric ciphering:
    • Use algorithms proven to be resilient to quantum computing because quantum computing will mainly affect this area.
    • In 2024, they are the following (source) :
      • CRYSTALS-Kyber: A lattice-based encryption algorithm known for its efficiency and strong security properties.
      • CRYSTALS-Dilithium: Another lattice-based algorithm, but designed for digital signatures.
      • FALCON: A lattice-based digital signature algorithm that offers compact signatures and strong security.
      • SPHINCS+: A stateless hash-based signature scheme that provides strong security guarantees.
    • RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC) will be KO.
  • For hashing:
    • Use SHA3 type of hash like sha3_224, sha3_256, sha3_384, sha3_512 algorithms.

Hints regarding languages specificities

Java

  • JAXB, by default, does not allow http, https or file protocols during unmarshalling operations: Grant must be explicitly given.
  • Preferences.importPreferences(xmlFile) is not prone to XXE because it strictly validates that the URL is equals to http://java.sun.com/dtd/preferences.dtd.
  • Specify the option XMLConstants.FEATURE_SECURE_PROCESSING to true in a javax.xml.parsers.DocumentBuilderFactory instance does not prevent exposure to XML Entity Expansion (XEE) related attacks: POC.
    • javax.xml.stream.XMLInputFactory by default, replace internal entities (not external one) because XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES is set to true. Therefore, it is prone to XML Entity Expansion (XEE) related attacks: POC.
    • HOWEVER from the JDK 1.8, default properties for JAXP are set to prevent exposure to XEE:
      • List of properties and their default value.
      • I was not able to exploit a XEE via DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xeePocFile);.
      • 🚩So prior to raise an exposure to XXE issue a POC is required!
  • By default loading an XML schema via SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI).newSchema(src); is prone to XXE.
  • Apache FOP: Generating a PDF using an XSLT source from an XML source is not prone to IFRAME injection, via <node><![CDATA[<iframe src="file:///etc/hostname"></iframe>]]></node>, when the instruction <xsl:value-of select="node"/> is used into the XSLT (tested on version 2.9 of FOP).

Golang

  • The function Unmarshal(data []byte, v any) of the module encoding/xml does not resolve ExternalDTD/ExternalEntities/InternalEntities by default, so, it is not prone SSRF/XXE/XEE attacks.
  • If the external library libxml2 is used then parsing of external entities is disabled by default. However, if the instruction parser.XMLParseNoEnt is used when the XML parser created, like parser.New(parser.XMLParseNoEnt), then parsing of external entities will be enabled (reference): .
  • When comparing two strings in the context of a security validation, for which the case sensitivity can be used as a bypass, then the function strings.EqualFold() (documentation) must be used:
package main

import (
  "fmt"
  "strings"
)

func main() {
  var a = "localhost"
  var b = "LocalHost"
  var c = (a == b)
  var d = strings.Compare(a, b)
  var e = strings.EqualFold(a, b)
  //print false
  fmt.Println(c)
  //print 1 
  fmt.Println(d)
  // print true
  fmt.Println(e)
}

Automated review using SemGrep

💡 This dedicated toolbox can be used.

🛑 Always ensure that the option --metrics=off is specified! 🛑

💻 Install via python3 -m pip install semgrep.

💻 Scan commands:

# Scan using the "r2c-security-audit" profile:
# "Scan code for potential security issues that require additional review."
# See https://semgrep.dev/p/r2c-security-audit
$ semgrep scan --config "p/r2c-security-audit" --force-color --text --metrics off --disable-version-check --oss-only
# Scan using the "default" profile:
# "The default ruleset configured in Semgrep App."
# See https://semgrep.dev/p/default
$ semgrep scan --config "p/default" --force-color --text --metrics off --disable-version-check --oss-only

Manual review using grep commands

XML schema

💻 Useful commands to find type of processing (excludes test related content):

# Find if input validation is in place into XSD schemas via regular expressions
$ grep -F ":pattern" -rn --exclude-dir=test --include=\*.xsd .
# Find if input validation is in place into XSD schemas via restriction instructions other than regular expressions
$ grep -E ":(enumeration|fractionDigits|length|maxExclusive|maxInclusive|maxLength|minExclusive|minInclusive|minLength|totalDigits)\s+" -rn --exclude-dir=test --include=\*.xsd .

JavaScript

💡 Notes:

  • If Semgrep spot the usage of a regex that can be prone to ReDOS (rule) then the following tools can be used to validate the exposure:

💻 Useful commands to find type of processing (excludes test and third-party related content):

# Commons
## Find usage of the "javascript" protocol
$ grep -Fi "javascript:" -rn --exclude-dir=test --exclude-dir=node_modules .
# Vue.js
## Find insecure usage of the "v-html" directive
$ grep -F "v-html=" -rn --exclude-dir=test --exclude-dir=node_modules .
## Find insecure usage of the directive to explicitly render HTML content 
$ grep -E "innerHTML[:=]" -rn --exclude-dir=test --exclude-dir=node_modules .
## Find usage of non-trusted templates
$ grep -F "template:" -rn --exclude-dir=test --exclude-dir=node_modules .
## Find affectation of styles from a non-trusted source
$ grep -F ":style" -rn --exclude-dir=test --exclude-dir=node_modules .

Java

💻 Useful commands to find type of processing (excludes test related content):

# Find if input validation is in place using beans validation constraints
$ grep -E "@(Pattern|Size|Digits|Email|Negative|Positive|Length|Range)" -rn --exclude-dir=test --include=\*.java .
# Find if input validation is in place using regex
$ grep -F "Pattern" -rn --exclude-dir=test --include=\*.java .
# Find if input validation is in place using regex and focusing on regular expressions defined
$ grep -F "Pattern.compile(" -rn --exclude-dir=test --include=\*.java .
# Find if input validation is in place using Apache Commons-Lang features
$ grep -E "\.(isAlpha|isNumeric|isDigits|isParsable)" -rn --exclude-dir=test --include=\*.java .
# Find if input validation is in place but limited to the presence of a value
$ grep -E "\.(isNull|isEmpty|isBlank|isNotNull|isNotEmpty|isNotBlank|isAllBlank|isAllEmpty|isNoneBlank|isNoneEmpty)" -rn --exclude-dir=test --include=\*.java .
# Identify XML processing to check for exposure to XXE
$ grep -E "(DocumentBuilderFactory|XMLInputFactory|TransformerFactory|JAXBContext)" -rn --exclude-dir=test --include=\*.java .
# Identify cryptography related processing to check for weaknesses in usage/implementation
$ grep -E "(MessageDigest|Cipher|ParameterSpec|SecretKey|PrivateKey|PublicKey|KeyGenerator)" -rn --exclude-dir=test --include=\*.java .
# Identify system command execution
$ grep -F ".exec(" -rn --exclude-dir=test --include=\*.java .

💻 Useful commands to find type of files (excludes test related content):

# Find keystores or truststores
find . -not -path "*/test/*" -type f -name *.jks
# Find configuration files via properties files
find . -not -path "*/test/*" -type f -name *.properties