Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Questionable Code Example

      // === MessageDigest ===
      import java.security.MessageDigest;
      import java.security.Provider;
      
      class A {
          void foo(String algorithm, String providerStr, Provider provider) throws Exception {
              MessageDigest.getInstance(algorithm); // Questionable
              MessageDigest.getInstance(algorithm, providerStr); // Questionable
              MessageDigest.getInstance(algorithm, provider); // Questionable
          }
      }
      

      Regarding SecretKeyFactory. Any call to SecretKeyFactory.getInstance("...") with an argument starting by "PBKDF2" will be highlighted. See OWASP guidelines, list of standard algorithms and algorithms on android.

      // === javax.crypto ===
      import javax.crypto.spec.PBEKeySpec;
      import javax.crypto.SecretKeyFactory;
      
      class A {
          void foo(char[] password, byte[] salt, int iterationCount, int keyLength) throws Exception {
              // Questionable. Review this, even if it is the way recommended by OWASP
              SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
              PBEKeySpec spec = new PBEKeySpec(password, salt, iterationCount, keyLength);
              factory.generateSecret(spec).getEncoded();
          }
      }
      

      Regarding Guava, only the hashing functions which are usually misused for sensitive data will raise an issue, i.e. md5 and sha*.

      // === Guava ===
      import com.google.common.hash.Hashing;
      
      class A {
          void foo() {
              Hashing.md5(); // Questionable
              Hashing.sha1(); // Questionable
              Hashing.sha256(); // Questionable
              Hashing.sha384(); // Questionable
              Hashing.sha512(); // Questionable
          }
      }
      
      // === org.apache.commons ===
      import org.apache.commons.codec.digest.DigestUtils;
      
      class A {
          void foo(String strName, byte[] data, String str, java.io.InputStream stream) throws Exception {
              new DigestUtils(strName); // Questionable
              new DigestUtils(); // Questionable
      
              DigestUtils.getMd2Digest(); // Questionable
              DigestUtils.getMd5Digest(); // Questionable
              DigestUtils.getShaDigest(); // Questionable
              DigestUtils.getSha1Digest(); // Questionable
              DigestUtils.getSha256Digest(); // Questionable
              DigestUtils.getSha384Digest(); // Questionable
              DigestUtils.getSha512Digest(); // Questionable
      
      
              DigestUtils.md2(data); // Questionable
              DigestUtils.md2(stream); // Questionable
              DigestUtils.md2(str); // Questionable
              DigestUtils.md2Hex(data); // Questionable
              DigestUtils.md2Hex(stream); // Questionable
              DigestUtils.md2Hex(str); // Questionable
      
              DigestUtils.md5(data); // Questionable
              DigestUtils.md5(stream); // Questionable
              DigestUtils.md5(str); // Questionable
              DigestUtils.md5Hex(data); // Questionable
              DigestUtils.md5Hex(stream); // Questionable
              DigestUtils.md5Hex(str); // Questionable
      
              DigestUtils.sha(data); // Questionable
              DigestUtils.sha(stream); // Questionable
              DigestUtils.sha(str); // Questionable
              DigestUtils.shaHex(data); // Questionable
              DigestUtils.shaHex(stream); // Questionable
              DigestUtils.shaHex(str); // Questionable
      
              DigestUtils.sha1(data); // Questionable
              DigestUtils.sha1(stream); // Questionable
              DigestUtils.sha1(str); // Questionable
              DigestUtils.sha1Hex(data); // Questionable
              DigestUtils.sha1Hex(stream); // Questionable
              DigestUtils.sha1Hex(str); // Questionable
      
              DigestUtils.sha256(data); // Questionable
              DigestUtils.sha256(stream); // Questionable
              DigestUtils.sha256(str); // Questionable
              DigestUtils.sha256Hex(data); // Questionable
              DigestUtils.sha256Hex(stream); // Questionable
              DigestUtils.sha256Hex(str); // Questionable
      
              DigestUtils.sha384(data); // Questionable
              DigestUtils.sha384(stream); // Questionable
              DigestUtils.sha384(str); // Questionable
              DigestUtils.sha384Hex(data); // Questionable
              DigestUtils.sha384Hex(stream); // Questionable
              DigestUtils.sha384Hex(str); // Questionable
      
              DigestUtils.sha512(data); // Questionable
              DigestUtils.sha512(stream); // Questionable
              DigestUtils.sha512(str); // Questionable
              DigestUtils.sha512Hex(data); // Questionable
              DigestUtils.sha512Hex(stream); // Questionable
              DigestUtils.sha512Hex(str); // Questionable
          }
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: