php.lang.security.weak-crypto.weak-crypto

profile photo of returntocorpreturntocorp
Author
4,191
Download Count*
LGPL Commons Clause
License

Detected usage of weak crypto function. Consider using stronger alternatives.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: weak-crypto
    patterns:
      - pattern: $FUNC(...);
      - metavariable-regex:
          metavariable: $FUNC
          regex: crypt|md5|md5_file|sha1|sha1_file|str_rot13
    message: Detected usage of weak crypto function. Consider using stronger
      alternatives.
    metadata:
      cwe:
        - "CWE-328: Use of Weak Hash"
      references:
        - https://www.php.net/manual/en/book.sodium.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php
      category: security
      technology:
        - php
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: ERROR

Examples

weak-crypto.php

<?php

// ruleid: weak-crypto
$hashed_password = crypt('mypassword');

// ruleid: weak-crypto
$hashed_password = md5('mypassword');

// ruleid: weak-crypto
$hashed_password = md5_file('filename.txt');

// ruleid: weak-crypto
$hashed_password = sha1('mypassword');

// ruleid: weak-crypto
$hashed_password = sha1_file('filename.txt');

// ruleid: weak-crypto
$hashed_password = str_rot13('totally secure');

// ok: weak-crypto
$hashed_password = sodium_crypto_generichash('mypassword');