Skip to content

Test jaswanth#54

Closed
jkosanam wants to merge 2 commits intomainfrom
test-jaswanth
Closed

Test jaswanth#54
jkosanam wants to merge 2 commits intomainfrom
test-jaswanth

Conversation

@jkosanam
Copy link
Collaborator

@jkosanam jkosanam commented Jul 25, 2025

No description provided.

semgrep-code-digitalocean[bot]
semgrep-code-digitalocean bot reviewed Jul 25, 2025
View reviewed changes
src/util.ts
Comment on lines +176 to +180
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(ivHex, 'hex')
);
Copy link

@semgrep-code-digitalocean semgrep-code-digitalocean bot Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(ivHex, 'hex')
);
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(ivHex, 'hex'),
{ authTagLength: 16 } // Specify the expected authentication tag length in bytes
);
View step-by-step instructions
  1. Pass an additional options object with the authTagLength property set to 16 as the fourth parameter to crypto.createDecipheriv. For example:
    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(ivHex, 'hex'), { authTagLength: 16 });
  2. Make sure that the value for authTagLength matches the length of the authentication tag you use when calling decipher.setAuthTag.
    In AES-GCM, a typical tag length is 16 bytes (128 bits). This helps prevent attackers from supplying shorter authentication tags when decrypting.
  3. Review and update any other instances of createDecipheriv with a GCM mode in your codebase to use the authTagLength option as well.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by gcm-no-tag-length.

Questions about this issue? Reach out to Product Security in #prodsec-tools.

You can view more details about this finding in the Semgrep AppSec Platform.

@jkosanam jkosanam closed this Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-code-digitalocean semgrep-code-digitalocean[bot] semgrep-code-digitalocean[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkosanam @code-by-jassu