SONARJAVA-2929 Rule S2053: Remove FP when salt added via PBEParameterSpec

leveretka · quentin-jaquier-sonarsource · commit 06240ffacde2 · 2021-02-18T18:13:15.000+01:00
diff --git a/java-checks-test-sources/src/main/files/non-compiling/checks/security/UnpredictableSaltCheck.java b/java-checks-test-sources/src/main/files/non-compiling/checks/security/UnpredictableSaltCheck.java
@@ -8,6 +8,7 @@
 import java.util.Random;
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -17,17 +18,20 @@ public class UnpredictableSaltCheck {
   private static byte[] sSalt = new byte[]; 
 
   public void checkPBEKeySpecWithUnknownSalt(char[] chars) throws NoSuchAlgorithmException {
-    PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant
+    PBEKeySpec spec = new PBEKeySpec(chars);
     PBEKeySpec spec1 = new PBEKeySpec(chars, salt, 1); // Compliant 
     PBEKeySpec spec2 = new PBEKeySpec(chars, salt(), 1); // Compliant 
   }
 
   public void checkPBEKeySpec(char[] chars) throws NoSuchAlgorithmException {
     var salt = new byte[]{};
-    PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant
+    PBEKeySpec spec = new PBEKeySpec(chars);
     PBEKeySpec spec1 = new PBEKeySpec(chars, salt, 1); // Compliant 
     PBEKeySpec spec2 = new PBEKeySpec(chars, salt(), 1); // Compliant 
     PBEKeySpec spec3 = new PBEKeySpec(chars, sSalt, 1); // Compliant 
+
+    new PBEParameterSpec("notrandom".getBytes(), 10000);  // Noncompliant
+    new PBEParameterSpec(sSalt, 10000);  // Compliant
   }
 
 }
diff --git a/java-checks-test-sources/src/main/java/checks/security/UnpredictableSaltCheck.java b/java-checks-test-sources/src/main/java/checks/security/UnpredictableSaltCheck.java
@@ -4,11 +4,12 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
 
 public class UnpredictableSaltCheck {
   
   public void testPBESpec(char[] chars, byte[] salt) throws NoSuchAlgorithmException {
-    PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant [[sc=23;ec=44]] {{Add an unpredictable salt value to this hash.}}
+    PBEKeySpec spec = new PBEKeySpec(chars); // Compliant
     PBEKeySpec spec1 = new PBEKeySpec(chars, salt, 1); // Compliant 
   }
 
@@ -36,6 +37,10 @@ public void testNonRandomPBESpec(char[] chars, String str) throws NoSuchAlgorith
     
     PBEKeySpec spec6 = new PBEKeySpec(chars, new MyMessageDigest("").engineDigest(), 2); // Compliant
     PBEKeySpec spec666 = new PBEKeySpec(chars, str.getBytes(), 2); // Compliant
+    
+    new PBEParameterSpec("notrandom".getBytes(), 10000);  // Noncompliant {{Make this salt unpredictable.}}
+    new PBEParameterSpec(salt, 10000);  // Noncompliant [[sc=5;ec=38;secondary=17]]
+    new PBEParameterSpec(finalSalt, 10000);  // Noncompliant [[sc=5;ec=43;secondary=20]]
   }
 
   private byte[] secureSalt() {
diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/UnpredictableSaltCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/UnpredictableSaltCheck.java
@@ -42,13 +42,21 @@
 @Rule(key = "S2053")
 public class UnpredictableSaltCheck extends IssuableSubscriptionVisitor {
 
-  private static final String ADD_SALT = "Add an unpredictable salt value to this hash.";
   private static final String UNPREDICTABLE_SALT = "Make this salt unpredictable.";
 
+  private static final String BYTE_ARRAY = "byte[]";
   private static final MethodMatchers NEW_PBE_KEY_SPEC = MethodMatchers.create()
     .ofSubTypes("javax.crypto.spec.PBEKeySpec")
     .constructor()
-    .withAnyParameters()
+    .addParametersMatcher("char[]", BYTE_ARRAY, "int", "int")
+    .addParametersMatcher("char[]", BYTE_ARRAY, "int")
+    .build();
+
+  private static final MethodMatchers NEW_PBE_PARAM_SPEC = MethodMatchers.create()
+    .ofSubTypes("javax.crypto.spec.PBEParameterSpec")
+    .constructor()
+    .addParametersMatcher(BYTE_ARRAY, "int")
+    .addParametersMatcher(BYTE_ARRAY, "int", "java.security.spec.AlgorithmParameterSpec")
     .build();
 
   private static final MethodMatchers GET_BYTES = MethodMatchers.create()
@@ -65,17 +73,23 @@ public List<Tree.Kind> nodesToVisit() {
   @Override
   public void visitNode(Tree tree) {
     NewClassTree newClassTree = (NewClassTree) tree;
-    if (NEW_PBE_KEY_SPEC.matches(newClassTree)) {
-      if (newClassTree.arguments().size() <= 1) {
-        reportIssue(newClassTree, ADD_SALT);
-      } else {
-        ExpressionTree saltExpression = ExpressionUtils.skipParentheses(newClassTree.arguments().get(1));
-        List<JavaFileScannerContext.Location> locations = new ArrayList<>();
-        if (isPredictable(saltExpression, locations)) {
-          reportIssue(newClassTree, UNPREDICTABLE_SALT, locations, null);
-        }
+    saltExpression(((NewClassTree) tree))
+    .map(ExpressionUtils::skipParentheses)
+    .ifPresent(salt -> {
+      List<JavaFileScannerContext.Location> locations = new ArrayList<>();
+      if (isPredictable(salt, locations)) {
+        reportIssue(newClassTree, UNPREDICTABLE_SALT, locations, null);
       }
+    });
+  }
+  
+  private static Optional<ExpressionTree> saltExpression(NewClassTree tree) {
+    if (NEW_PBE_KEY_SPEC.matches(tree)) {
+      return Optional.of(tree.arguments().get(1));
+    } else if (NEW_PBE_PARAM_SPEC.matches(tree)) {
+      return Optional.of(tree.arguments().get(0));
     }
+    return Optional.empty();
   }
 
   private static boolean isPredictable(ExpressionTree saltExpression, List<JavaFileScannerContext.Location> locations) {
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2053_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2053_java.html
@@ -1,56 +1,31 @@
-<p>In cryptography, "salt" is extra piece of data which is included in a hashing algorithm. It makes dictionary attacks more difficult. Using a
-cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value
-such as a password with a dictionary attack.</p>
-<p>This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as PBKDF2, is used with a
-non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as these are often used for
-other purposes.</p>
+<p>In cryptography, a "salt" is an extra piece of data which is included when hashing a password. This makes <code>rainbow-table attacks</code> more
+difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker could successfully find the
+hash value in databases of precomputed hashes (called <code>rainbow-tables</code>).</p>
+<p>This rule raises an issue when a hashing function which has been specifically designed for hashing passwords, such as <code>PBKDF2</code>, is used
+with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as <code>sha1</code> or <code>md5</code>
+as they should not be used to hash passwords.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Use hashing functions generating their own salt or generate a long random salt of at least 32 bytes. </li>
-  <li> The salt is at least as long as the resulting hash value. </li>
-  <li> Provide the salt to a safe hashing function such as PBKDF2. </li>
-  <li> Save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be
-  retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored
-  hash. </li>
+  <li> Use hashing functions generating their own secure salt or generate a secure random value of at least 16 bytes. </li>
+  <li> The salt should be unique by user password. </li>
 </ul>
 <h2>Noncompliant Code Example</h2>
-<p>Below, the hashed password is not salted:</p>
-<pre>
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant
-</pre>
-<pre>
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-md.update(passwordToHash.getBytes(StandardCharsets.UTF_8));
-byte[] hashedPassword = md.digest(); // Noncompliant, only one "update()" call and "digest()" without parameters
-</pre>
-<pre>
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant, no "update()" call
-</pre>
-<pre>
-PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant, no salt as an argument
-</pre>
+<p>Below, the hashed password use a predictable salt:</p>
 <pre>
 byte[] salt = "notrandom".getBytes();
-PBEKeySpec spec = new PBEKeySpec(chars, salt); // Noncompliant, predictable salt
+
+PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, 10000); // Noncompliant, predictable salt
+PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Noncompliant, predictable salt
 </pre>
 <h2>Compliant Solution</h2>
-<p>Use <code>java.security.SecureRandom</code> to produce a unpredictable salt:</p>
+<p>Use <code>java.security.SecureRandom</code> to generate an unpredictable salt:</p>
 <pre>
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-
 SecureRandom random = new SecureRandom();
 byte[] salt = new byte[16];
 random.nextBytes(salt);
 
-md.update(salt);
-
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Compliant
-</pre>
-<pre>
-byte[] salt = this.secureSalt();
-PBEKeySpec spec = new PBEKeySpec(chars, salt); // Compliant
+PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, 10000); // Compliant
+PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Compliant
 </pre>
 <h2>See</h2>
 <ul>
