clojure.lang.security.use-of-md5.use-of-md5
semgrep
Author
unknown
Download Count*
License
MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-md5
languages:
- clojure
severity: WARNING
message: MD5 hash algorithm detected. This is not collision resistant and leads
to easily-cracked password hashes. Replace with current recommended
hashing algorithms.
metadata:
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
technology:
- clojure
source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-328: Use of Weak Hash"
author: Gabriel Marquet <gab.marquet@gmail.com>
category: security
subcategory:
- vuln
confidence: HIGH
likelihood: MEDIUM
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Insecure Hashing Algorithm
pattern-either:
- pattern: (MessageDigest/getInstance "MD5")
- pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
- pattern: (MessageDigest/getInstance
org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
- pattern: (java.security.MessageDigest/getInstance "MD5")
- pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
- pattern: (java.security.MessageDigest/getInstance
org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
Examples
use-of-md5.clj
(import 'java.security.MessageDigest
'java.math.BigInteger)
(defn md5 [s]
// ruleid: use-of-md5
(let [algorithm (MessageDigest/getInstance "MD5")
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha256 [s]
// ok: use-of-md5
(let [algorithm (MessageDigest/getInstance "SHA-256")
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
Short Link: https://sg.run/BgPx