Import blacklist: crypto/rc4 GSC-G503

Detects imports of crypto/rc4 since it is considered vulnerable.

Go's official documentation also warns against the usage of RC4

Most common alternative for the insecure algorithm:

• Use AES-128-256 instead of RC4

Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.

Refer https://en.wikipedia.org/wiki/RC4 to understand the vulnerability in detail.

Bad practice

package main

import (
    "crypto/rc4"
    "encoding/hex"
    "fmt"
)

func main() {
    cipher, err := rc4.NewCipher([]byte("sekritz"))
    if err != nil {
        panic(err)
    }

    plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
    ciphertext := make([]byte, len(plaintext))
    cipher.XORKeyStream(ciphertext, plaintext)
    fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

References

• OWASP A2:2021
• CWE-327