From 909c707978800b1881699feaf1057a408aa84800 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 21 Jan 2026 23:10:41 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Di?=
 =?UTF-8?q?sable=20insecure=20RC4=20algorithm?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: HIGH
💡 Vulnerability: The codebase included active, though deprecated, methods for RC4 encryption (`Crypto.encryptRC4` and `Crypto.decryptRC4`). RC4 is a weak cryptographic algorithm with known vulnerabilities, making any data encrypted with it susceptible to being broken.
🎯 Impact: If a developer accidentally used these deprecated methods, they would be implementing weak, insecure encryption, putting sensitive data at risk of exposure.
🔧 Fix: The `encryptRC4` and `decryptRC4` methods in `Crypto.java` have been modified to throw a `CryptoException` upon being called. This effectively disables the algorithm and prevents its use, forcing a migration to more secure alternatives like AES.
✅ Verification: The build passes successfully, and the updated tests in `RC4Test.java` confirm that calling the RC4 methods now correctly throws a `CryptoException`.
---
 .gitignore                                    |  1 +
 .../richkmeli/jframework/crypto/Crypto.java   |  8 ++--
 .../test/java/crypto/algorithm/RC4Test.java   | 45 +++++--------------
 3 files changed, 17 insertions(+), 37 deletions(-)

diff --git a/.gitignore b/.gitignore
index 70e39ba..60de8a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 
 # Log file
 *.log
+logfileConf.txt
 
 # BlueJ files
 *.ctxt
diff --git a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/Crypto.java b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/Crypto.java
index 6990a2f..08f29eb 100644
--- a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/Crypto.java
+++ b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/Crypto.java
@@ -131,8 +131,9 @@ public void deleteClientData() {
      * @see #encryptAES(String, String)
      */
     @Deprecated
-    public static String encryptRC4(String input, String key) {
-        return RC4.encrypt(input, key);
+    public static String encryptRC4(String input, String key) throws CryptoException {
+        //return RC4.encrypt(input, key);
+        throw new CryptoException("RC4 is insecure and should not be used. Use AES instead.");
     }
 
     /**
@@ -149,7 +150,8 @@ public static String encryptRC4(String input, String key) {
      */
     @Deprecated
     public static String decryptRC4(String input, String key) throws CryptoException {
-        return RC4.decrypt(input, key);
+        //return RC4.decrypt(input, key);
+        throw new CryptoException("RC4 is insecure and should not be used. Use AES instead.");
     }
 
     /**
diff --git a/JFramework/crypto/src/test/java/crypto/algorithm/RC4Test.java b/JFramework/crypto/src/test/java/crypto/algorithm/RC4Test.java
index 55e2a84..440e728 100644
--- a/JFramework/crypto/src/test/java/crypto/algorithm/RC4Test.java
+++ b/JFramework/crypto/src/test/java/crypto/algorithm/RC4Test.java
@@ -9,43 +9,20 @@
 
 public class RC4Test {
 
-    @Test
-    public void encrypt_decrypt() {
-
-        for (int i : plainTextLengths) {
-            for (int i2 : keyLengths) {
-
-                String plain = genString(i);
-                String key = genString(i2);
-
-                String encrypted = Crypto.encryptRC4(plain, key);
-                String decrypted = null;
-                try {
-                    decrypted = Crypto.decryptRC4(encrypted, key);
-                } catch (CryptoException e) {
-                    e.printStackTrace();
-                    assert false;
-                }
-
-                assertEquals(plain, decrypted);
-            }
-        }
-    }
+    @Test(expected = CryptoException.class)
+    public void encryptRC4ShouldFail() throws CryptoException {
+        String plain = genString(10);
+        String key = genString(10);
 
-    @Test
-    public void decryptWrongString() {
-        String encrypted = "NJ12_eEyaN8cf348RQf9_w=";
-        try {
-            Crypto.decryptRC4(encrypted, "richktest");
-            assert false;
-        } catch (CryptoException e) {
-            //e.printStackTrace();
-            assert true;
-        }
+        // this should fail, as RC4 is insecure
+        Crypto.encryptRC4(plain, key);
     }
 
-        @Test
-    public void encrypt_decrypt__BcCompability() {
+    @Test(expected = CryptoException.class)
+    public void decryptRC4ShouldFail() throws CryptoException {
+        String encrypted = "NJ12_eEyaN8cf348RQf9_w=";
+        // this should fail, as RC4 is insecure
+        Crypto.decryptRC4(encrypted, "richktest");
     }