ruby.lang.security.weak-hashes-md5.weak-hashes-md5
Community Favorite
semgrep
Author
46,077
Download Count*
License
Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.
Run Locally
Run in CI
Defintion
rules:
- id: weak-hashes-md5
message: Should not use md5 to generate hashes. md5 is proven to be vulnerable
through the use of brute-force attacks. Could also result in collisions,
leading to potential collision attacks. Use SHA256 or other hashing
functions instead.
metadata:
cwe:
- "CWE-328: Use of Weak Hash"
references:
- https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575
category: security
technology:
- ruby
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Insecure Hashing Algorithm
languages:
- ruby
severity: WARNING
pattern-either:
- pattern: Digest::MD5.base64digest $X
- pattern: Digest::MD5.hexdigest $X
- pattern: Digest::MD5.digest $X
- pattern: Digest::MD5.new
- pattern: OpenSSL::Digest::MD5.base64digest $X
- pattern: OpenSSL::Digest::MD5.hexdigest $X
- pattern: OpenSSL::Digest::MD5.digest $X
- pattern: OpenSSL::Digest::MD5.new
Examples
weak-hashes-md5.rb
require 'digest'
class Bad_md5
def bad_md5_code()
# ruleid: weak-hashes-md5
md5 = Digest::MD5.hexdigest 'abc'
# ruleid: weak-hashes-md5
md5 = Digest::MD5.new
# ruleid: weak-hashes-md5
md5 = Digest::MD5.base64digest 'abc'
# ruleid: weak-hashes-md5
md5 = Digest::MD5.digest 'abc'
# ruleid: weak-hashes-md5
digest = OpenSSL::Digest::MD5.new
# ruleid: weak-hashes-md5
digest = OpenSSL::Digest::MD5.hexdigest 'abc'
# ruleid: weak-hashes-md5
digest = OpenSSL::Digest::MD5.new
# ruleid: weak-hashes-md5
digest = OpenSSL::Digest::MD5.base64digest 'abc'
# ruleid: weak-hashes-md5
digest = OpenSSL::Digest::MD5.digest 'abc'
end
end
Short Link: https://sg.run/O1re