Rust: Add qhelp and examples.

geoffw0 · geoffw0 · commit 95be12ed80f9 · 2025-03-06T17:48:47.000Z
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp
@@ -0,0 +1,58 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Hardcoded passwords, keys, initialization vectors and salts should not be used for cryptographic operations.
+</p>
+<ul>
+  <li>
+    Attackers can easily recover hardcoded values if they have access to the source code or compiled executable.
+  </li>
+  <li>
+    Some hardcoded values may be easily guessable.
+  </li>
+  <li>
+    Hardcoded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
+  </li>
+</ul>
+
+</overview>
+<recommendation>
+
+<p>
+Use randomly generated key material, initialization vectors and salts. Use strong passwords that are not hardcoded in source code.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+The following example shows instantiating a cipher with hardcoded key material, making the encrypted data vulnerable to recovery.
+</p>
+
+<sample src="HardcodedCryptographicValueBad.rs" />
+
+<p>
+In the fixed code below, the key material is randomly generated and not hardcoded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
+</p>
+
+<sample src="HardcodedCryptographicValueGood.rs" />
+
+</example>
+<references>
+
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
+</li>
+<li>
+OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
+<li>
+O'Reilly: <a href="https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html">Using Salts, Nonces, and Initialization Vectors</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs
@@ -0,0 +1,2 @@
+let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption
+let cipher = Aes256Gcm::new(&key.into());
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs
@@ -0,0 +1,2 @@
+let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
+let cipher = Aes256Gcm::new(&key);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption`
	`2`	`+let cipher = Aes256Gcm::new(&key.into());`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption`
	`2`	`+let cipher = Aes256Gcm::new(&key);`