ruby.lang.security.weak-hashes-md5.weak-hashes-md5

Community Favorite
profile photo of semgrepsemgrep
Author
46,077
Download Count*

Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.

Run Locally

Run in CI

Defintion

rules:
  - id: weak-hashes-md5
    message: Should not use md5 to generate hashes. md5 is proven to be vulnerable
      through the use of brute-force attacks. Could also result in collisions,
      leading to potential collision attacks. Use SHA256 or other hashing
      functions instead.
    metadata:
      cwe:
        - "CWE-328: Use of Weak Hash"
      references:
        - https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575
      category: security
      technology:
        - ruby
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    languages:
      - ruby
    severity: WARNING
    pattern-either:
      - pattern: Digest::MD5.base64digest $X
      - pattern: Digest::MD5.hexdigest $X
      - pattern: Digest::MD5.digest $X
      - pattern: Digest::MD5.new
      - pattern: OpenSSL::Digest::MD5.base64digest $X
      - pattern: OpenSSL::Digest::MD5.hexdigest $X
      - pattern: OpenSSL::Digest::MD5.digest $X
      - pattern: OpenSSL::Digest::MD5.new

Examples

weak-hashes-md5.rb

require 'digest'
class Bad_md5
    def bad_md5_code()
        # ruleid: weak-hashes-md5
        md5 = Digest::MD5.hexdigest 'abc'
        # ruleid: weak-hashes-md5
        md5 = Digest::MD5.new
        # ruleid: weak-hashes-md5
        md5 = Digest::MD5.base64digest 'abc'
        # ruleid: weak-hashes-md5
        md5 = Digest::MD5.digest 'abc'

        # ruleid: weak-hashes-md5
        digest = OpenSSL::Digest::MD5.new
        # ruleid: weak-hashes-md5
        digest = OpenSSL::Digest::MD5.hexdigest 'abc'
        # ruleid: weak-hashes-md5
        digest = OpenSSL::Digest::MD5.new
        # ruleid: weak-hashes-md5
        digest = OpenSSL::Digest::MD5.base64digest 'abc'
        # ruleid: weak-hashes-md5
        digest = OpenSSL::Digest::MD5.digest 'abc'
    end
end