java.lang.security.audit.crypto.use-of-md5.use-of-md5

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.

Run Locally

Run in CI

Defintion

rules:
  - id: use-of-md5
    message: Detected MD5 hash algorithm which is considered insecure. MD5 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Use HMAC instead.
    languages:
      - java
    severity: WARNING
    metadata:
      functional-categories:
        - crypto::search::hash-algorithm::java.security
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    patterns:
      - pattern: |
          java.security.MessageDigest.getInstance($ALGO, ...);
      - metavariable-regex:
          metavariable: $ALGO
          regex: (.MD5.)
      - focus-metavariable: $ALGO
    fix: |
      "SHA-512"

Examples

use-of-md5.java

import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;

public class Bad{
  public byte[] bad1(String password) {
    // ruleid: use-of-md5
    MessageDigest md5Digest = MessageDigest.getInstance("MD5");
    md5Digest.update(password.getBytes());
    byte[] hashValue = md5Digest.digest();
    return hashValue;
  }

  public byte[] bad2(String password) {
    // ok: use-of-md5
    byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
    return hashValue;
  }

  public void bad3() {
      // ruleid: use-of-md5
      java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");
      byte[] input = {(byte) '?'};
      Object inputParam = param;
      if (inputParam instanceof String) input = ((String) inputParam).getBytes();
      if (inputParam instanceof java.io.InputStream) {
          byte[] strInput = new byte[1000];
          int i = ((java.io.InputStream) inputParam).read(strInput);
          if (i == -1) {
              response.getWriter()
                      .println(
                              "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
              return;
          }
          input = java.util.Arrays.copyOf(strInput, i);
      }
      md.update(input);

      byte[] result = md.digest();
  }

  public byte[] good(String password) {
    // ok: use-of-md5
    MessageDigest md5Digest = MessageDigest.getInstance("SHA-512");
    md5Digest.update(password.getBytes());
    byte[] hashValue = md5Digest.digest();
    return hashValue;
  }
}