Review

Misuse Details

Details about the known misuse from the MUBench dataset.

Description:	A string is converted to bytes without specifying an explicit encoding. The bytes are then passed to Cipher.doFinal(). The fix specifies the encoding "UTF-8".
Fix Description:	(see diff)
Violation Types:	missing/call superfluous/call
In File:	org/compiere/util/Secure.java
In Method:	encrypt(String)
Code with Misuse:	class Secure { /** * Encryption. * @param value clear value * @return encrypted String */ public String encrypt (String value) { String clearText = value; if (clearText == null) clearText = ""; // Init if (m_cipher == null) initCipher(); // Encrypt if (m_cipher != null) { try { m_cipher.init(Cipher.ENCRYPT_MODE, m_key); byte[] encBytes = m_cipher.doFinal(clearText.getBytes()); String encString = convertToHexString(encBytes); // globalqss - [ 1577737 ] Security Breach - show database password // log.log (Level.ALL, value + " => " + encString); return encString; } catch (Exception ex) { // log.log(Level.INFO, value, ex); log.log(Level.INFO, "Problem encrypting string", ex); } } // Fallback return CLEARVALUE_START + value + CLEARVALUE_END; } // encrypt }
Code with Pattern(s):	`class SpecifyEncryptEncoding { void pattern(String clearText) throws UnsupportedEncodingException { clearText.getBytes("UTF8"); } }`