ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1
Community Favorite
semgrep
Author
46,010
Download Count*
License
Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.
Run Locally
Run in CI
Defintion
rules:
- id: weak-hashes-sha1
message: Should not use SHA1 to generate hashes. There is a proven SHA1 hash
collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3
or other hashing functions instead.
metadata:
cwe:
- "CWE-328: Use of Weak Hash"
references:
- https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
- https://shattered.io/
category: security
technology:
- ruby
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Insecure Hashing Algorithm
languages:
- ruby
severity: WARNING
pattern-either:
- pattern: Digest::SHA1.$FUNC
- pattern: OpenSSL::Digest::SHA1.$FUNC
- pattern: OpenSSL::HMAC.$FUNC("sha1",...)
Examples
weak-hashes-sha1.rb
require 'digest'
class Bad_md5
def bad_md5_code()
# ruleid: weak-hashes-sha1
sha = Digest::SHA1.hexdigest 'abc'
# ruleid: weak-hashes-sha1
sha = Digest::SHA1.new
# ruleid: weak-hashes-sha1
sha = Digest::SHA1.base64digest 'abc'
# ruleid: weak-hashes-sha1
sha = Digest::SHA1.digest 'abc'
# ruleid: weak-hashes-sha1
digest = OpenSSL::Digest::SHA1.new
# ruleid: weak-hashes-sha1
digest = OpenSSL::Digest::SHA1.hexdigest 'abc'
# ruleid: weak-hashes-sha1
digest = OpenSSL::Digest::SHA1.new
# ruleid: weak-hashes-sha1
digest = OpenSSL::Digest::SHA1.base64digest 'abc'
# ruleid: weak-hashes-sha1
digest = OpenSSL::Digest::SHA1.digest 'abc'
# ruleid: weak-hashes-sha1
OpenSSL::HMAC.hexdigest("sha1", key, data)
# ok: weak-hashes-sha1
OpenSSL::HMAC.hexdigest("SHA256", key, data)
# ok: weak-hashes-sha1
digest = OpenSSL::Digest::SHA256.new
# ok: weak-hashes-sha1
digest = OpenSSL::Digest::SHA256.hexdigest 'abc'
end
end
Short Link: https://sg.run/e4qX