java.lang.security.audit.crypto.use-of-sha1.use-of-sha1

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-sha1
    message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
      for other hash function applications.
    languages:
      - java
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    pattern-either:
      - pattern: |
          java.security.MessageDigest.getInstance("SHA1", ...);
      - pattern: |
          $DU.getSha1Digest().digest(...)

Examples

use-of-sha1.java

import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;

public class Bad {
  public byte[] bad1(String password) {
      // ruleid: use-of-sha1
      MessageDigest sha1Digest = MessageDigest.getInstance("SHA1");
      sha1Digest.update(password.getBytes());
      byte[] hashValue = sha1Digest.digest();
      return hashValue;
  }
  public byte[] bad2(String password) {
    // ruleid: use-of-sha1
    byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes());
    return hashValue;
  }

  public void bad3() {
      // ruleid: use-of-sha1
      java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");
      byte[] input = {(byte) '?'};
      Object inputParam = bar;
      if (inputParam instanceof String) input = ((String) inputParam).getBytes();
      if (inputParam instanceof java.io.InputStream) {
          byte[] strInput = new byte[1000];
          int i = ((java.io.InputStream) inputParam).read(strInput);
          if (i == -1) {
              response.getWriter()
                      .println(
                              "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
              return;
          }
          input = java.util.Arrays.copyOf(strInput, i);
      }
      md.update(input);
      byte[] result = md.digest();
      java.io.File fileTarget =
              new java.io.File(
                      new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
                      "passwordFile.txt");
      java.io.FileWriter fw =
              new java.io.FileWriter(fileTarget, true); // the true will append the new data
      fw.write(
              "hash_value="
                      + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
                      + "\n");
      fw.close();
  }
}