kotlin.lang.security.use-of-md5.use-of-md5

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-md5
    message: Detected MD5 hash algorithm which is considered insecure. MD5 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Use SHA256 or SHA3 instead.
    languages:
      - kt
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
      category: security
      technology:
        - kotlin
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      vulnerability_class:
        - Insecure Hashing Algorithm
    pattern-either:
      - pattern: |
          $VAR = $MD.getInstance("MD5")
      - pattern: |
          $DU.getMd5Digest().digest(...)

Examples

use-of-md5.kt

import java.security.MessageDigest
import org.apache.commons.codec.digest.DigestUtils

public class WeakHashes {
  public fun sha1_digestutil(password: String): ByteArray {
    // ok: use-of-md5
      val sha256Digest: MessageDigest = MessageDigest.getInstance("SHA256")
      sha256Digest.update(password.getBytes())
      val hashValue: ByteArray = sha256Digest.digest()
      return hashValue
    val hashValue: ByteArray = DigestUtils.getSha256Digest().digest(password.getBytes())
    return hashValue
  }

  public fun md5(password: String): ByteArray {
    // ruleid: use-of-md5
    val md5Digest: MessageDigest = MessageDigest.getInstance("MD5")
    md5Digest.update(password.getBytes())
    val hashValue: ByteArray = md5Digest.digest()
    return hashValue
  }

  public fun md5_digestutil(password: String): ByteArray {
    // ruleid: use-of-md5
    val hashValue: ByteArray = DigestUtils.getMd5Digest().digest(password.getBytes())
    return hashValue
  }
}