go.lang.security.audit.crypto.bad_imports.insecure-module-used

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
157,350
Download Count*

Detected use of an insecure cryptographic hashing method. This method is known to be broken and easily compromised. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-module-used
    message: Detected use of an insecure cryptographic hashing method. This method
      is known to be broken and easily compromised. Use SHA256 or SHA3 instead.
    metadata:
      owasp: "A9: Using Components with Known Vulnerabilities"
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://github.com/securego/gosec
      references:
        - https://godoc.org/golang.org/x/crypto/sha3
      category: security
      technology:
        - go
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern-either:
      - patterns:
          - pattern-inside: |
              import "crypto/md5"
              ...
          - pattern: |
              md5.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/des"
              ...
          - pattern: |
              des.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/sha1"
              ...
          - pattern: |
              sha1.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/rc4"
              ...
          - pattern: |
              rc4.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "net/http/cgi"
              ...
          - pattern: |
              cgi.$FUNC(...)

Examples

bad_imports.go

package main

import (
	"crypto/cipher"
	"crypto/des"
	"crypto/md5"
	"crypto/rand"
	"crypto/rc4"
	"crypto/sha1"
	"encoding/hex"
	"fmt"
	"io"
	"net/http"
	"net/http/cgi"
	"os"
)

func main1() {
	// ruleid: insecure-module-used
	cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}

func main2() {
	// ruleid: insecure-module-used
	block, err := des.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, des.BlockSize+len(plaintext))
	iv := ciphertext[:des.BlockSize]
	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
		panic(err)
	}
	stream := cipher.NewCFBEncrypter(block, iv)
	stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main3() {
	for _, arg := range os.Args {
		// ruleid: insecure-module-used
		fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
	}
}

func main4() {
	// ruleid: insecure-module-used
	cipher, err := rc4.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, len(plaintext))
	cipher.XORKeyStream(ciphertext, plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main5() {
	for _, arg := range os.Args {
		// ruleid: insecure-module-used
		fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
	}
}