feat: Add Plugin for Detecting Non-Standard Cryptography Usage with Integrated Tests

.husky/commit-msg

@@ -1,4 +1 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
 npx --no -- commitlint --edit ${1} && npm run lint

src/proxy/chain.js

@@ -11,6 +11,7 @@ const pushActionChain = [
   proc.push.writePack,
   proc.push.getDiff,
   proc.push.clearBareClone,
+  proc.push.checkCryptoImplementation,
   proc.push.scanDiff,
   proc.push.blockForAuth,
 ];

src/proxy/processors/push-action/checkCryptoImplementation.js

@@ -0,0 +1,140 @@
+const Step = require('../../actions').Step;
+
+// Common encryption-related patterns and keywords
+const CRYPTO_PATTERNS = {
+  // Known non-standard encryption algorithms
+  nonStandardAlgorithms: [
+    'xor\\s*\\(',
+    'rot13',
+    'caesar\\s*cipher',
+    'custom\\s*encrypt',
+    'simple\\s*encrypt',
+    'homebrew\\s*crypto',
+    'custom\\s*hash'
+  ],
+
+  // Suspicious operations that might indicate custom crypto Implementation
+  suspiciousOperations: [
+    'bit\\s*shift',
+    'bit\\s*rotate',
+    '\\^=',  
+    '\\^',   
+    '>>>',
+    '<<<',
+    'shuffle\\s*bytes'
+  ],
+
+  // Common encryption-related variable names
+  suspiciousVariables: [
+    'cipher',
+    'encrypt',
+    'decrypt',
+    'scramble',
+    'salt(?!\\w)',
+    'iv(?!\\w)',
+    'nonce'
+  ]
+};
+
+function analyzeCodeForCrypto(diffContent) {
+  const issues = [];
+  // Check for above mentioned cryto Patterns
+  if(!diffContent) return issues;
+
+  CRYPTO_PATTERNS.nonStandardAlgorithms.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'non_standard_algorithm',
+        pattern: pattern,
+        matches: matches,
+        severity: 'high',
+        message: `Detected possible non-standard encryption algorithm: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  CRYPTO_PATTERNS.suspiciousOperations.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'suspicious_operation',
+        pattern: pattern,
+        matches: matches,
+        severity: 'medium',
+        message: `Detected suspicious cryptographic operation: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  CRYPTO_PATTERNS.suspiciousVariables.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'suspicious_variable',
+        pattern: pattern,
+        matches: matches,
+        severity: 'low',
+        message: `Detected potential encryption-related variable: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  return issues;
+}
+
+const exec = async (req, action) => {
+  const step = new Step('checkCryptoImplementation');
+
+  try {
+    let hasIssues = false;
+    const allIssues = [];
+
+    for (const commit of action.commitData) {
+      const diff = commit.diff || '';
+      const issues = analyzeCodeForCrypto(diff);
+
+      if (issues.length > 0) {
+        hasIssues = true;
+        allIssues.push({
+          commit: commit.hash,
+          issues: issues
+        });
+      }
+    }
+
+    if (hasIssues) {
+      step.error = true;
+
+      const errorMessage = allIssues.map(commitIssues => {
+        return `Commit ${commitIssues.commit}:\n` +
+          commitIssues.issues.map(issue => 
+            `- ${issue.severity.toUpperCase()}: ${issue.message}`
+          ).join('\n');
+      }).join('\n\n');
+
+      step.setError(
+        '\n\nYour push has been blocked.\n' +
+        'Potential non-standard cryptographic implementations detected:\n\n' +
+        `${errorMessage}\n\n` +
+        'Please use standard cryptographic libraries instead of custom implementations.\n' +
+        'Recommended: Use established libraries like crypto, node-forge, or Web Crypto API.\n'
+      );
+    }
+
+    action.addStep(step);
+    return action;
+  } catch (error) {
+    step.error = true;
+    step.setError(`Error analyzing crypto implementation: ${error.message}`);
+    action.addStep(step);
+    return action;
+  }
+};
+
+// exec.displayName = 'checkCryptoImplementation.exec';
+exports.exec = exec;
+exports.analyzeCodeForCrypto = analyzeCodeForCrypto;

src/proxy/processors/push-action/index.js

@@ -11,3 +11,4 @@ exports.checkCommitMessages = require('./checkCommitMessages').exec;
 exports.checkAuthorEmails = require('./checkAuthorEmails').exec;
 exports.checkUserPushPermission = require('./checkUserPushPermission').exec;
 exports.clearBareClone = require('./clearBareClone').exec;
+exports.checkCryptoImplementation = require('./checkCryptoImplementation').exec;

test/chain.test.js

@@ -19,6 +19,7 @@ const mockPushProcessors = {
   audit: sinon.stub(),
   checkRepoInAuthorisedList: sinon.stub(),
   checkCommitMessages: sinon.stub(),
+  checkCryptoImplementation: sinon.stub(),
   checkAuthorEmails: sinon.stub(),
   checkUserPushPermission: sinon.stub(),
   checkIfWaitingAuth: sinon.stub(),
@@ -33,6 +34,7 @@ mockPushProcessors.parsePush.displayName = 'parsePush';
 mockPushProcessors.audit.displayName = 'audit';
 mockPushProcessors.checkRepoInAuthorisedList.displayName = 'checkRepoInAuthorisedList';
 mockPushProcessors.checkCommitMessages.displayName = 'checkCommitMessages';
+mockPushProcessors.checkCryptoImplementation.displayName = 'checkCryptoImplementation';
 mockPushProcessors.checkAuthorEmails.displayName = 'checkAuthorEmails';
 mockPushProcessors.checkUserPushPermission.displayName = 'checkUserPushPermission';
 mockPushProcessors.checkIfWaitingAuth.displayName = 'checkIfWaitingAuth';
@@ -106,6 +108,7 @@ describe('proxy chain', function () {
     mockPushProcessors.checkCommitMessages.resolves(continuingAction);
     mockPushProcessors.checkAuthorEmails.resolves(continuingAction);
     mockPushProcessors.checkUserPushPermission.resolves(continuingAction);
+    mockPushProcessors.checkCryptoImplementation.resolves(continuingAction);
 
     // this stops the chain from further execution
     mockPushProcessors.checkIfWaitingAuth.resolves({ type: 'push', continue: () => false, allowPush: false });
@@ -120,6 +123,7 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.checkIfWaitingAuth.called).to.be.true;
     expect(mockPushProcessors.pullRemote.called).to.be.false;
     expect(mockPushProcessors.audit.called).to.be.true;
+    expect(mockPushProcessors.checkCryptoImplementation.called).to.be.true;
 
     expect(result.type).to.equal('push');
     expect(result.allowPush).to.be.false;
@@ -135,6 +139,8 @@ describe('proxy chain', function () {
     mockPushProcessors.checkCommitMessages.resolves(continuingAction);
     mockPushProcessors.checkAuthorEmails.resolves(continuingAction);
     mockPushProcessors.checkUserPushPermission.resolves(continuingAction);
+    mockPushProcessors.checkCryptoImplementation.resolves(continuingAction);
+
     // this stops the chain from further execution
     mockPushProcessors.checkIfWaitingAuth.resolves({ type: 'push', continue: () => true, allowPush: true });
     const result = await chain.executeChain(req);
@@ -148,6 +154,7 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.checkIfWaitingAuth.called).to.be.true;
     expect(mockPushProcessors.pullRemote.called).to.be.false;
     expect(mockPushProcessors.audit.called).to.be.true;
+    expect(mockPushProcessors.checkCryptoImplementation.called).to.be.true;
 
     expect(result.type).to.equal('push');
     expect(result.allowPush).to.be.true;
@@ -170,6 +177,7 @@ describe('proxy chain', function () {
     mockPushProcessors.clearBareClone.resolves(continuingAction);
     mockPushProcessors.scanDiff.resolves(continuingAction);
     mockPushProcessors.blockForAuth.resolves(continuingAction);
+    mockPushProcessors.checkCryptoImplementation.resolves(continuingAction);
 
     const result = await chain.executeChain(req);
 
@@ -187,6 +195,7 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.scanDiff.called).to.be.true;
     expect(mockPushProcessors.blockForAuth.called).to.be.true;
     expect(mockPushProcessors.audit.called).to.be.true;
+    expect(mockPushProcessors.checkCryptoImplementation.called).to.be.true;
 
     expect(result.type).to.equal('push');
     expect(result.allowPush).to.be.false;