Vulny-Code-Static-Analysis/semgrep/openssl-decrypt-validate.yaml

rules:
- id: openssl-decrypt-validate
  patterns:
  - pattern: openssl_decrypt(...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      if($DECRYPTED_STRING === false){
        ...
      }
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      if($DECRYPTED_STRING == false){
        ...
      }
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      if(false === $DECRYPTED_STRING){
        ...
      }
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      if(false == $DECRYPTED_STRING){
        ...
      }
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      assertTrue(false !== $DECRYPTED_STRING,...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      assertTrue($DECRYPTED_STRING !== false,...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      $REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      $REFERENCE::assertTrue($DECRYPTED_STRING !== false,...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      assert(false !== $DECRYPTED_STRING,...);
  - pattern-not-inside: |
      $DECRYPTED_STRING = openssl_decrypt(...);
      ...
      assert($DECRYPTED_STRING !== false,...);
  message: The function `openssl_decrypt` returns either a string of the decrypted
    data on success or `false` on failure. If the failure case is not handled, this
    could lead to undefined behavior in your application. Please handle the case where
    `openssl_decrypt` returns `false`.
  languages:
  - php
  severity: WARNING
  metadata:
    references:
    - https://www.php.net/manual/en/function.openssl-decrypt.php
    cwe: 'CWE-252: Unchecked Return Value'
    owasp:
    - A02:2021 - Cryptographic Failures
    technology:
    - php
    - openssl
    category: security
Semgrep rules to replace this script 2022-04-30 13:00:48 +00:00			`rules:`
			`- id: openssl-decrypt-validate`
			`patterns:`
			`- pattern: openssl_decrypt(...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`if($DECRYPTED_STRING === false){`
			`...`
			`}`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`if($DECRYPTED_STRING == false){`
			`...`
			`}`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`if(false === $DECRYPTED_STRING){`
			`...`
			`}`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`if(false == $DECRYPTED_STRING){`
			`...`
			`}`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`assertTrue(false !== $DECRYPTED_STRING,...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`assertTrue($DECRYPTED_STRING !== false,...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`$REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`$REFERENCE::assertTrue($DECRYPTED_STRING !== false,...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`assert(false !== $DECRYPTED_STRING,...);`
			`- pattern-not-inside: \|`
			`$DECRYPTED_STRING = openssl_decrypt(...);`
			`...`
			`assert($DECRYPTED_STRING !== false,...);`
			message: The function `openssl_decrypt` returns either a string of the decrypted
			data on success or `false` on failure. If the failure case is not handled, this
			`could lead to undefined behavior in your application. Please handle the case where`
			`openssl_decrypt` returns `false`.
			`languages:`
			`- php`
			`severity: WARNING`
			`metadata:`
			`references:`
			`- https://www.php.net/manual/en/function.openssl-decrypt.php`
			`cwe: 'CWE-252: Unchecked Return Value'`
			`owasp:`
			`- A02:2021 - Cryptographic Failures`
			`technology:`
			`- php`
			`- openssl`
			`category: security`