java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.

Run Locally

Run in CI

Defintion

rules:
  - id: use-of-md5-digest-utils
    message: Detected MD5 hash algorithm which is considered insecure. MD5 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Use HMAC instead.
    languages:
      - java
    severity: WARNING
    metadata:
      functional-categories:
        - crypto::search::hash-algorithm::org.apache.commons
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    patterns:
      - pattern: |
          $DU.$GET_ALGO().digest(...)
      - metavariable-pattern:
          metavariable: $GET_ALGO
          pattern: getMd5Digest
      - metavariable-pattern:
          metavariable: $DU
          pattern: DigestUtils
      - focus-metavariable: $GET_ALGO
    fix: |
      getSha512Digest

Examples

use-of-md5-digest-utils.java

import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;

public class Bad{
  public byte[] bad1(String password) {
    // ok: use-of-md5-digest-utils
    MessageDigest md5Digest = MessageDigest.getInstance("MD5");
    md5Digest.update(password.getBytes());
    byte[] hashValue = md5Digest.digest();
    return hashValue;
  }

  public byte[] bad2(String password) {
    // ruleid: use-of-md5-digest-utils
    byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
    return hashValue;
  }

  public byte[] ok(String password) {
    // ok: use-of-md5-digest-utils
    byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes());
    return hashValue;
  }

}