Deprecated crypto API shim

Author: kadraman

.gitignore

@@ -143,3 +143,6 @@ iwa.db
 junit.xml
 aviator_*
 .fortify
+
+.otappsec
+fortifypackage.zip

.vscode/settings.json

@@ -1,3 +1,3 @@
 {
-    "fortifyRemediation.softwareSecurityCenterURL": "https://ssc.uat.fortifyhosted.net"
+    "fortifyRemediation.softwareSecurityCenterURL": "https://ssc.stage.cyberresstage.com/"
 }

README.md

@@ -1,6 +1,6 @@
 # InsecureRestAPI
 
-_InsecureRestAPI_ is a simple NodeJS/Express/MongoFB REST API that can be used for the demonstration of Application Security testing tools - such as [OpenText Application Security](https://www.opentext.com/products/application-security).
+_InsecureRestAPI_ is a simple NodeJS/Express/MongoDB REST API that can be used for the demonstration of Application Security testing tools - such as [OpenText Application Security](https://www.opentext.com/products/application-security).
 
 Pre-requisities
 ---------------
@@ -18,6 +18,7 @@ You can the run the application locally using the following:
 ```
 npm install
 npm install -g ts-node-dev
+npm test
 npm run dev
 ```
 
@@ -73,8 +74,8 @@ To carry out a Fortify ScanCentral SAST scan, run the following:
 ```
 fcli ssc session login
 scancentral package -o package.zip -bt none
-fcli sast-scan start --release "_YOURAPP_:_YOURREL_" -f package.zip --store curScan
-fcli sast-scan wait-for ::curScan::
+fcli sc-sast scan start --publish-to "_YOURAPP_:_YOURREL_" -f package.zip --store curScan
+fcli sc-sast scan wait-for ::curScan::
 fcli ssc action run appversion-summary --av "_YOURAPP_:_YOURREL_" -fs "Security Auditor View" -f summary.md
 ```
 

package.json

@@ -7,7 +7,9 @@
     "build": "cross-env NODE_ENV=production npx tsc && cross-env NODE_ENV=production ts-node src/configs/swagger.config.ts && shx cp src/configs/swagger_output.json ./dist/configs",
     "start": "cross-env NODE_ENV=production node dist/index.js",
     "dev": "ts-node-dev --respawn --transpile-only src/index.ts",
+    "dev:legacy": "cross-env USE_CRYPTO_BROWSERIFY=true USE_LEGACY_CIPHER=true npm run dev",
     "test": "cross-env jest --ci --reporters=default --reporters=jest-junit",
+    "test:legacy": "cross-env USE_CRYPTO_BROWSERIFY=true USE_LEGACY_CIPHER=true npm run test",
     "swagger": "cross-env ts-node src/configs/swagger.config.ts && shx cp src/configs/swagger_output.json ./public/docs/openapi.json"
   },
   "keywords": [],

src/utils/encrypt.utils.ts

@@ -17,10 +17,62 @@
         along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-var crypto = require('crypto-browserify')
+// Allow optionally using crypto-browserify for legacy/insecure behavior during testing.
+let cryptoLib: any;
+if (process.env.USE_CRYPTO_BROWSERIFY === 'true') {
+    // Use require so bundlers aren't forced to include this in production builds
+    // and to allow runtime selection in dev/test scenarios.
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    cryptoLib = require('crypto-browserify');
+} else {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    cryptoLib = require('crypto');
+}
 
 import Logger from "../middleware/logger";
 
+// Provide an optional legacy shim that emulates the deprecated OpenSSL-style
+// `createCipher(algorithm, password)` / `createDecipher(algorithm, password)`
+// by deriving a key+iv using the EVP_BytesToKey MD5 scheme. This is insecure
+// but useful for intentionally testing detectors that look for legacy crypto use.
+function evpBytesToKey(password: string, keyLen: number, ivLen: number) {
+    const passwordBuf = Buffer.from(String(password), 'binary');
+    let m = Buffer.alloc(0);
+    let i = 0;
+    let md5: Buffer = Buffer.alloc(0);
+    while (m.length < (keyLen + ivLen)) {
+        const hash = cryptoLib.createHash('md5');
+        if (i === 0) {
+            hash.update(passwordBuf);
+        } else {
+            hash.update(Buffer.concat([md5, passwordBuf]));
+        }
+        md5 = hash.digest();
+        m = Buffer.concat([m, md5]);
+        i++;
+    }
+    return {
+        key: m.slice(0, keyLen),
+        iv: m.slice(keyLen, keyLen + ivLen),
+    };
+}
+
+function createLegacyCipher(algorithm: string, password: string) {
+    // Only implemented for AES-*-CTR/GCM/CBC families used in this project.
+    // For `aes-256-ctr` key=32 iv=16.
+    const keyLen = algorithm.includes('256') ? 32 : 16;
+    const ivLen = 16;
+    const derived = evpBytesToKey(password, keyLen, ivLen);
+    return cryptoLib.createCipheriv(algorithm, derived.key, derived.iv);
+}
+
+function createLegacyDecipher(algorithm: string, password: string) {
+    const keyLen = algorithm.includes('256') ? 32 : 16;
+    const ivLen = 16;
+    const derived = evpBytesToKey(password, keyLen, ivLen);
+    return cryptoLib.createDecipheriv(algorithm, derived.key, derived.iv);
+}
+
 export abstract class EncryptUtils {
 
     static jwtSecret = process.env.JWT_SECRET || "your-very-long-and-random-secret-key";
@@ -34,29 +86,59 @@ export abstract class EncryptUtils {
 
     public static cryptPassword(password: String): String {
         //process.stdout.write("Encrypting password: " + password);
-        var cipher = crypto.createCipher(this.algorithm, this.encryptionKey);
-        var mystr = cipher.update(password, 'utf8', 'hex');
+        const useLegacy = process.env.USE_LEGACY_CIPHER === 'true';
+        if (useLegacy) {
+            const cipher = createLegacyCipher(this.algorithm, this.encryptionKey);
+            let mystr = cipher.update(String(password), 'utf8', 'hex');
+            mystr += cipher.final('hex');
+            process.stdout.write("Encrypted password:" + mystr);
+            return mystr;
+        }
+        const key = cryptoLib.createHash('sha256').update(String(this.encryptionKey)).digest();
+        const iv = cryptoLib.randomBytes(16);
+        const cipher = cryptoLib.createCipheriv(this.algorithm, key, iv);
+        let mystr = cipher.update(String(password), 'utf8', 'hex');
         mystr += cipher.final('hex');
-        process.stdout.write("Encrypted password:" + mystr);
-        return mystr;
+        const payload = iv.toString('hex') + ':' + mystr;
+        process.stdout.write("Encrypted password:" + payload);
+        return payload;
     }
 
     public static decryptPassword(hashPassword: String): String {
         process.stdout.write("Decrypting password: " + hashPassword);
-        var cipher = crypto.createDecipher(this.algorithm, this.encryptionKey);
-        var mystr = cipher.update(hashPassword, 'hex', 'utf8');
-        mystr += cipher.final('utf8');
+        const useLegacy = process.env.USE_LEGACY_CIPHER === 'true';
+        const parts = String(hashPassword).split(':');
+        if (parts.length !== 2) {
+            if (useLegacy) {
+                // Attempt legacy-style decipher (no IV prefix)
+                try {
+                    const decipher = createLegacyDecipher(this.algorithm, this.encryptionKey);
+                    let mystr = decipher.update(String(hashPassword), 'hex', 'utf8');
+                    mystr += decipher.final('utf8');
+                    process.stdout.write("Decrypted password:" + mystr);
+                    return mystr;
+                } catch (e) {
+                    return String(hashPassword);
+                }
+            }
+            // Not in iv:encrypted format - return as-is or throw
+            return String(hashPassword);
+        }
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = parts[1];
+        const key = cryptoLib.createHash('sha256').update(String(this.encryptionKey)).digest();
+        const decipher = cryptoLib.createDecipheriv(this.algorithm, key, iv);
+        let mystr = decipher.update(encrypted, 'hex', 'utf8');
+        mystr += decipher.final('utf8');
         process.stdout.write("Decrypted password:" + mystr);
         return mystr;
     }
 
     public static comparePassword(password: String, hashPassword: String): Boolean {
         //process.stdout.write("Encrypted password: " + hashPassword);
-        var cipher = crypto.createDecipher(this.algorithm, this.encryptionKey);
-        var mystr = cipher.update(hashPassword, 'hex', 'utf8');
-        mystr += cipher.final('utf8');
-        process.stdout.write("Comparing passwords: " + mystr + " = " + password);
-        return (password == mystr);
+        const plain = this.decryptPassword(hashPassword);
+        process.stdout.write("Comparing passwords: " + plain + " = " + password);
+        return (String(password) == String(plain));
     }
 
 }

test/encrypt.utils.test.ts

@@ -1,30 +1,39 @@
 import {expect, jest, test, describe} from '@jest/globals';
-import { EncryptUtils } from "../src/utils/encrypt.utils"; // Adjust the path as needed
+import { EncryptUtils } from "../src/utils/encrypt.utils";
 
 describe("Encryption TestCases", () => {
 
-    test("Encrypt password", () => {
-        //Call function of 
-        var enc = EncryptUtils.cryptPassword("ABCDE12345");
-        // assertions
-        expect(enc).toBe("acbf8a291bed749b6eeb");
+    test("Encrypt/Decrypt roundtrip", () => {
+        const plain = "ABCDE12345";
+        const enc = EncryptUtils.cryptPassword(plain);
+        const dec = EncryptUtils.decryptPassword(enc);
+        expect(dec).toBe(plain);
 
+        // In legacy mode the ciphertext is deterministic and matches the old value
+        if (process.env.USE_LEGACY_CIPHER === 'true' && process.env.USE_CRYPTO_BROWSERIFY === 'true') {
+            expect(enc).toBe("acbf8a291bed749b6eeb");
+        } else {
+            // Modern mode: expect iv:hex format
+            expect(typeof enc).toBe('string');
+            expect(enc).toMatch(/^[0-9a-f]+:[0-9a-f]+$/);
+        }
     });
 
-    test("Decrypt password", () => {
-        //Call function of 
-        var enc = EncryptUtils.decryptPassword("acbf8a291bed749b6eeb");
-        // assertions
-        expect(enc).toBe("ABCDE12345");
+    test("Decrypt legacy literal", () => {
+        if (process.env.USE_LEGACY_CIPHER === 'true' && process.env.USE_CRYPTO_BROWSERIFY === 'true') {
+            const dec = EncryptUtils.decryptPassword("acbf8a291bed749b6eeb");
+            expect(dec).toBe("ABCDE12345");
+        } else {
+            // In modern mode, attempting to decrypt a legacy literal returns it unchanged
+            const dec = EncryptUtils.decryptPassword("acbf8a291bed749b6eeb");
+            expect(dec).toBe("acbf8a291bed749b6eeb");
+        }
     });
 
-    
     test("Compare passwords", () => {
-        //Call function of 
-        var enc = EncryptUtils.cryptPassword("ABCDE12345");
-        // assertions
-        expect(EncryptUtils.comparePassword("ABCDE12345", enc)).toBeTruthy;
-        expect(EncryptUtils.comparePassword("12345ABCDE", enc)).toBeFalsy;
+        const enc = EncryptUtils.cryptPassword("ABCDE12345");
+        expect(EncryptUtils.comparePassword("ABCDE12345", enc)).toBeTruthy();
+        expect(EncryptUtils.comparePassword("12345ABCDE", enc)).toBeFalsy();
     });
 
 });