go.lang.security.audit.crypto.bad_imports.insecure-module-used

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
157,350
Download Count*
LGPL Commons Clause
License

Detected use of an insecure cryptographic hashing method. This method is known to be broken and easily compromised. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-module-used
    message: Detected use of an insecure cryptographic hashing method. This method
      is known to be broken and easily compromised. Use SHA256 or SHA3 instead.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://github.com/securego/gosec
      references:
        - https://godoc.org/golang.org/x/crypto/sha3
      category: security
      technology:
        - go
      confidence: MEDIUM
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern-either:
      - patterns:
          - pattern-inside: |
              import "crypto/md5"
              ...
          - pattern: |
              md5.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/des"
              ...
          - pattern: |
              des.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/sha1"
              ...
          - pattern: |
              sha1.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "crypto/rc4"
              ...
          - pattern: |
              rc4.$FUNC(...)
      - patterns:
          - pattern-inside: |
              import "net/http/cgi"
              ...
          - pattern: |
              cgi.$FUNC(...)

Examples

bad_imports.go

package main

import (
	"crypto/cipher"
	"crypto/des"
	"crypto/md5"
	"crypto/rand"
	"crypto/rc4"
	"crypto/sha1"
	"encoding/hex"
	"fmt"
	"io"
	"net/http"
	"net/http/cgi"
	"os"
)

func main1() {
	// ruleid: insecure-module-used
	cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}

func main2() {
	// ruleid: insecure-module-used
	block, err := des.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, des.BlockSize+len(plaintext))
	iv := ciphertext[:des.BlockSize]
	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
		panic(err)
	}
	stream := cipher.NewCFBEncrypter(block, iv)
	stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main3() {
	for _, arg := range os.Args {
		// ruleid: insecure-module-used
		fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
	}
}

func main4() {
	// ruleid: insecure-module-used
	cipher, err := rc4.NewCipher([]byte("sekritz"))
	if err != nil {
		panic(err)
	}
	plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
	ciphertext := make([]byte, len(plaintext))
	cipher.XORKeyStream(ciphertext, plaintext)
	fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}

func main5() {
	for _, arg := range os.Args {
		// ruleid: insecure-module-used
		fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
	}
}