Ccodemod

codemod/replace-default-aes-with-explicit-mode

Replace Cipher.getInstance(AES) with explicit Cipher.getInstance(AES/CBC/PKCS5Padding) configuration

securityencryptioncryptographyaescipher
Public
0 downloads
1 stars
How to Use
Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

@codemod/replace-default-aes-with-explicit-mode

Replace insecure default AES cipher with explicit CBC mode and padding to prevent cryptographic vulnerabilities.

Security Issue

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

The default AES cipher implementation uses Electronic Codebook (ECB) mode, which provides weak cryptographic security. ECB mode encrypts identical plaintext blocks to identical ciphertext blocks, revealing patterns in the encrypted data.

This codemod addresses OWASP Top 10 A02:2021 - Cryptographic Failures by ensuring explicit cipher mode specification.

What It Does

This codemod automatically transforms insecure AES cipher configurations to use explicit CBC mode with PKCS5Padding:

Before

java

After

java

Transformations Applied

Direct cipher calls

java

Static imports

java

Cipher algorithm constants

java

What's NOT Transformed

Already explicit configurations (no changes needed)

java

Variable parameters (requires manual review)

java

Non-cipher string literals

java

Installation & Usage

bash

Important Security Notes

⚠️ After applying this codemod, you must:

  1. Generate and manage Initialization Vectors (IVs) properly for CBC mode
  2. Use cryptographically secure random IVs for each encryption operation
  3. Store/transmit IVs alongside encrypted data (IVs don't need to be secret)
  4. Review any flagged variable parameter cases manually

Example of proper IV usage:

java

Security References

Development

bash

License

MIT

Ready to contribute?

Build your own codemod and share it with the community.