Skip to content

BAU-27506: Use of Hardcoded Cryptographic Key fixes #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
remus-iesan-natterbox wants to merge 2 commits into
base: master
Choose a base branch
from
Open

BAU-27506: Use of Hardcoded Cryptographic Key fixes #1

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de127ed
BAU-27506 Use of Hardcoded Cryptographic Key fixes
Jun 13, 2025
6604613
BAU-27506 Add additional comments
Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions src/request.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@
#define USER_AGENT_SIZE 256
#define REQUEST_STACK_SIZE 32
#define SIGNATURE_SCOPE_SIZE 64
// CWE-321: Use of Hardcoded Cryptographic Key
// The "AWS4" prefix is required by AWS Signature V4 spec and is NOT a secret key.
// The real cryptographic key is provided at runtime (not hardcoded).
#define AWS4_PREFIX "AWS4"
#define AWS4_SERVICE "s3"
#define AWS4_REQUEST "aws4_request"

//#define SIGNATURE_DEBUG

Expand Down Expand Up @@ -1002,9 +1008,9 @@
awsRegion = params->bucketContext.authRegion;
}
char scope[sizeof(values->requestDateISO8601) + sizeof(awsRegion) +
sizeof("//s3/aws4_request") + 1];
snprintf(scope, sizeof(scope), "%.8s/%s/s3/aws4_request",
2 /* slashes */ + sizeof(AWS4_SERVICE) + 1 /* slash */ + sizeof(AWS4_REQUEST)];
snprintf(scope, sizeof(scope), "%.8s/%s/" AWS4_SERVICE "/" AWS4_REQUEST,
values->requestDateISO8601, awsRegion);

Check failure on line 1013 in src/request.c

View check run for this annotation

Orca Security (EU) / Orca Security - SAST

[HIGH] Prevent Format String Vulnerabilities in Snprintf Usage 

Details:
Format string vulnerabilities can allow attackers to manipulate memory by reading
or writing data. To mitigate these risks, avoid using user input for format
specifications. Instead, use constant format strings or sanitize input to remove
format specifiers before calling any functions from the `snprintf` family. Be
aware that some variations of these functions may not null terminate strings. For
detailed guidance on `snprintf`, refer to https://linux.die.net/man/3/snprintf,
and for more on format string attacks, visit OWASP's guide at
https://owasp.org/www-community/attacks/Format_string_attack.

Recommendation:
To mitigate format string vulnerabilities, avoid using user-controlled input for
format specifications. Use constant strings or sanitize input to remove format
specifiers before passing them to snprintf functions. Ensure proper null
termination of strings.

char stringToSign[17 + 17 + sizeof(values->requestDateISO8601) +
sizeof(scope) + sizeof(canonicalRequestHashHex) + 1];
Expand All @@ -1017,7 +1023,7 @@

const char *secretAccessKey = params->bucketContext.secretAccessKey;
char accessKey[strlen(secretAccessKey) + 5];
snprintf(accessKey, sizeof(accessKey), "AWS4%s", secretAccessKey);
snprintf(accessKey, sizeof(accessKey), AWS4_PREFIX "%s", secretAccessKey);

Check failure on line 1026 in src/request.c

View check run for this annotation

Orca Security (EU) / Orca Security - SAST

[HIGH] Prevent Format String Vulnerabilities in Snprintf Usage 

Details:
Format string vulnerabilities can allow attackers to manipulate memory by reading
or writing data. To mitigate these risks, avoid using user input for format
specifications. Instead, use constant format strings or sanitize input to remove
format specifiers before calling any functions from the `snprintf` family. Be
aware that some variations of these functions may not null terminate strings. For
detailed guidance on `snprintf`, refer to https://linux.die.net/man/3/snprintf,
and for more on format string attacks, visit OWASP's guide at
https://owasp.org/www-community/attacks/Format_string_attack.

Recommendation:
To mitigate format string vulnerabilities, avoid using user-controlled input for
format specifications. Use constant strings or sanitize input to remove format
specifiers before passing them to snprintf functions. Ensure proper null
termination of strings.

#ifdef __APPLE__
unsigned char dateKey[S3_SHA256_DIGEST_LENGTH];
Expand All @@ -1031,7 +1037,7 @@
dateRegionServiceKey);
unsigned char signingKey[S3_SHA256_DIGEST_LENGTH];
CCHmac(kCCHmacAlgSHA256, dateRegionServiceKey, S3_SHA256_DIGEST_LENGTH,
"aws4_request", strlen("aws4_request"), signingKey);
AWS4_REQUEST, strlen(AWS4_REQUEST), signingKey);

Check warning on line 1040 in src/request.c

View check run for this annotation

Orca Security (EU) / Orca Security - SAST

[INFO] Improper handling of non-null-terminated strings in strlen functions 

Details:
The `strlen` family of functions does not properly handle non-null-terminated
strings, which may result in buffer overreads and potential application crashes
due to unintended memory access. It is advisable to use `strnlen`, as it allows
specifying a maximum length. For further details, refer to the documentation at
https://linux.die.net/man/3/strnlen. If working with the C Runtime Library (CRT),
consider using more secure variants of these functions as outlined here:
https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strnlen-strnlen-s?view=msvc-170.

Recommendation:
Replace calls to `strlen` with `strnlen`, which allows specifying a maximum
length. This prevents buffer over-reads by ensuring that you do not read beyond
the intended memory bounds, thus avoiding potential crashes.

unsigned char finalSignature[S3_SHA256_DIGEST_LENGTH];
CCHmac(kCCHmacAlgSHA256, signingKey, S3_SHA256_DIGEST_LENGTH, stringToSign,
Expand All @@ -1051,7 +1057,7 @@
(const unsigned char*) "s3", 2, dateRegionServiceKey, NULL);
unsigned char signingKey[S3_SHA256_DIGEST_LENGTH];
HMAC(sha256evp, dateRegionServiceKey, S3_SHA256_DIGEST_LENGTH,
(const unsigned char*) "aws4_request", strlen("aws4_request"),
(const unsigned char*) AWS4_REQUEST, strlen(AWS4_REQUEST),

Check warning on line 1060 in src/request.c

View check run for this annotation

Orca Security (EU) / Orca Security - SAST

[INFO] Improper handling of non-null-terminated strings in strlen functions 

Details:
The `strlen` family of functions does not properly handle non-null-terminated
strings, which may result in buffer overreads and potential application crashes
due to unintended memory access. It is advisable to use `strnlen`, as it allows
specifying a maximum length. For further details, refer to the documentation at
https://linux.die.net/man/3/strnlen. If working with the C Runtime Library (CRT),
consider using more secure variants of these functions as outlined here:
https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strnlen-strnlen-s?view=msvc-170.

Recommendation:
Replace calls to `strlen` with `strnlen`, which allows specifying a maximum
length. This prevents buffer over-reads by ensuring that you do not read beyond
the intended memory bounds, thus avoiding potential crashes.
signingKey,
NULL);

Expand All @@ -1067,9 +1073,10 @@
buf_append(values->requestSignatureHex, "%02x", finalSignature[i]);
}

snprintf(values->authCredential, sizeof(values->authCredential),
"%s/%.8s/%s/s3/aws4_request", params->bucketContext.accessKeyId,
values->requestDateISO8601, awsRegion);
"%s/%.8s/%s/" AWS4_SERVICE "/" AWS4_REQUEST,
params->bucketContext.accessKeyId,
values->requestDateISO8601, awsRegion)

Check failure on line 1079 in src/request.c

View check run for this annotation

Orca Security (EU) / Orca Security - SAST

[HIGH] Prevent Format String Vulnerabilities in Snprintf Usage 

Details:
Format string vulnerabilities can allow attackers to manipulate memory by reading
or writing data. To mitigate these risks, avoid using user input for format
specifications. Instead, use constant format strings or sanitize input to remove
format specifiers before calling any functions from the `snprintf` family. Be
aware that some variations of these functions may not null terminate strings. For
detailed guidance on `snprintf`, refer to https://linux.die.net/man/3/snprintf,
and for more on format string attacks, visit OWASP's guide at
https://owasp.org/www-community/attacks/Format_string_attack.

Recommendation:
To mitigate format string vulnerabilities, avoid using user-controlled input for
format specifications. Use constant strings or sanitize input to remove format
specifiers before passing them to snprintf functions. Ensure proper null
termination of strings.

snprintf(values->authorizationHeader,
sizeof(values->authorizationHeader),
Expand Down