python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-md2

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*
LGPL Commons Clause
License

Detected MD2 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-hash-algorithm-md2
    message: Detected MD2 hash algorithm which is considered insecure. This
      algorithm has many known vulnerabilities and has been deprecated. Use
      SHA256 or SHA3 instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp: "A3: Sensitive Data Exposure"
      references:
        - https://tools.ietf.org/html/rfc6149
        - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
        - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
      category: security
      technology:
        - pycryptodome
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python
    pattern-either:
      - pattern: Crypto.Hash.MD2.new(...)
      - pattern: Cryptodome.Hash.MD2.new (...)

Examples

insecure-hash-algorithm.py

# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/crypto-md5.py

from cryptography.hazmat.primitives import hashes
from Crypto.Hash import MD2 as pycrypto_md2
from Crypto.Hash import MD4 as pycrypto_md4
from Crypto.Hash import MD5 as pycrypto_md5
from Crypto.Hash import SHA as pycrypto_sha
from Cryptodome.Hash import MD2 as pycryptodomex_md2
from Cryptodome.Hash import MD4 as pycryptodomex_md4
from Cryptodome.Hash import MD5 as pycryptodomex_md5
from Cryptodome.Hash import SHA as pycryptodomex_sha
from Crypto.Hash import SHA3_256

# ok:insecure-hash-algorithm-md2
# ok:insecure-hash-algorithm-md5
# ok:insecure-hash-algorithm-sha1
# ok:insecure-hash-algorithm-md4
h_obj = SHA3_256.new()
h_obj.update(b'Some data')
print(h_obj.hexdigest())

# ruleid:insecure-hash-algorithm-md2
pycrypto_md2.new()
# ruleid:insecure-hash-algorithm-md4
pycrypto_md4.new()
# ruleid:insecure-hash-algorithm-md5
pycrypto_md5.new()
# ruleid:insecure-hash-algorithm-sha1
pycrypto_sha.new()

# ruleid:insecure-hash-algorithm-md2
pycryptodomex_md2.new()
# ruleid:insecure-hash-algorithm-md4
pycryptodomex_md4.new()
# ruleid:insecure-hash-algorithm-md5
pycryptodomex_md5.new()
# ruleid:insecure-hash-algorithm-sha1
pycryptodomex_sha.new()