clojure.lang.security.use-of-md5.use-of-md5

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-md5
    languages:
      - clojure
    severity: WARNING
    message: MD5 hash algorithm detected. This is not collision resistant and leads
      to easily-cracked password hashes. Replace with current recommended
      hashing algorithms.
    metadata:
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
        - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
      technology:
        - clojure
      source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      author: Gabriel Marquet <gab.marquet@gmail.com>
      category: security
      subcategory:
        - vuln
      confidence: HIGH
      likelihood: MEDIUM
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    pattern-either:
      - pattern: (MessageDigest/getInstance "MD5")
      - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
      - pattern: (MessageDigest/getInstance
          org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
      - pattern: (java.security.MessageDigest/getInstance "MD5")
      - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
      - pattern: (java.security.MessageDigest/getInstance
          org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)

Examples

use-of-md5.clj

(import 'java.security.MessageDigest
        'java.math.BigInteger)

(defn md5 [s]
  // ruleid: use-of-md5
  (let [algorithm (MessageDigest/getInstance "MD5")
        size (* 2 (.getDigestLength algorithm))
        raw (.digest algorithm (.getBytes s))
        sig (.toString (BigInteger. 1 raw) 16)
        padding (apply str (repeat (- size (count sig)) "0"))]
    (str padding sig)))

(defn sha256 [s]
  // ok: use-of-md5
  (let [algorithm (MessageDigest/getInstance "SHA-256")
        size (* 2 (.getDigestLength algorithm))
        raw (.digest algorithm (.getBytes s))
        sig (.toString (BigInteger. 1 raw) 16)
        padding (apply str (repeat (- size (count sig)) "0"))]
    (str padding sig)))