C#: Add test for decrypt.

michaelnebel · michaelnebel · commit 52a9fb0de78f · 2022-07-18T14:28:49.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs
@@ -46,13 +46,36 @@ static void Main(string[] args)
             // GOOD (this function hashes password)
             var de = DecryptWithPassword(ct, c, iv);
 
+            // BAD: harc-coded password passed to Decrypt
+            var de1 = Decrypt(ct, c, iv);
+
             // BAD [NOT DETECTED]
             CreateCryptographicKey(null, byteArrayFromString);
 
             // GOOD
             CreateCryptographicKey(null, File.ReadAllBytes("secret.key"));
         }
 
+        public static string Decrypt(byte[] cipherText, byte[] password, byte[] IV)
+        {
+            byte[] rawPlaintext;
+            var salt = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 };
+
+            using (Aes aes = new AesManaged())
+            {
+                using (MemoryStream ms = new MemoryStream())
+                {
+                    using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write))
+                    {
+                        cs.Write(cipherText, 0, cipherText.Length);
+                    }
+                    rawPlaintext = ms.ToArray();
+                }
+
+                return Encoding.Unicode.GetString(rawPlaintext);
+            }
+        }
+
         public static string DecryptWithPassword(byte[] cipherText, byte[] password, byte[] IV)
         {
             byte[] rawPlaintext;
