[Security] Fix CodeQL alert #21: Use of a broken or weak cryptographic algorithm#95
[Security] Fix CodeQL alert #21: Use of a broken or weak cryptographic algorithm#95colin-d-fried wants to merge 1 commit into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| key = get_random_bytes(32) | ||
| cipher = AES.new(key, AES.MODE_GCM) | ||
| ciphertext, tag = cipher.encrypt_and_digest(data.encode()) | ||
| return cipher.nonce + tag + ciphertext |
There was a problem hiding this comment.
Random encryption key generated but never returned
High Severity
encrypt_sensitive_data generates a random key via get_random_bytes(32) but only returns the nonce, tag, and ciphertext — the key is discarded when the function returns. This means the encrypted data can never be decrypted. The previous (insecure) implementation used a hardcoded key, which at least allowed decryption. The fix swapped a security problem for a complete loss of functionality.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| key = get_random_bytes(32) | ||
| cipher = AES.new(key, AES.MODE_GCM) | ||
| ciphertext, tag = cipher.encrypt_and_digest(data.encode()) | ||
| return cipher.nonce + tag + ciphertext |
There was a problem hiding this comment.
🔴 Encryption key is generated randomly but never returned, making decryption impossible
The new encrypt_sensitive_data function generates a random AES-256 key via get_random_bytes(32) on every call, but the key is never returned or stored. The function only returns cipher.nonce + tag + ciphertext. Without the key, there is no way to decrypt the data, rendering the encryption useless — the data is effectively destroyed. The old code used a hardcoded key (b'weakkey1'), which was insecure but at least allowed decryption. The function should either return the key alongside the ciphertext (e.g., as a tuple) or accept the key as a parameter.
| key = get_random_bytes(32) | |
| cipher = AES.new(key, AES.MODE_GCM) | |
| ciphertext, tag = cipher.encrypt_and_digest(data.encode()) | |
| return cipher.nonce + tag + ciphertext | |
| key = get_random_bytes(32) | |
| cipher = AES.new(key, AES.MODE_GCM) | |
| ciphertext, tag = cipher.encrypt_and_digest(data.encode()) | |
| return key, cipher.nonce + tag + ciphertext |
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
Fixes CodeQL alert #21: Use of a broken or weak cryptographic algorithm
vulnerable_weak_crypto.pyFix Applied
See the diff for the specific secure coding change applied.
Fixes #23
Note
Medium Risk
Changes the encryption algorithm and output format for
encrypt_sensitive_data, which can break any callers expecting DES block-sized output or needing deterministic encryption; also introduces new key-generation behavior that requires correct key management elsewhere.Overview
Upgrades
encrypt_sensitive_datainvulnerable_weak_crypto.pyfrom a hardcoded-keyDESECBimplementation to authenticated encryption usingAES-256-GCMwith a per-call random key.The function now returns
nonce + tag + ciphertextinstead of padded DES ciphertext, changing the binary format and requiring callers to handle nonce/tag and persist the generated key for later decryption.Written by Cursor Bugbot for commit 41e817a. This will update automatically on new commits. Configure here.