ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1

Community Favorite
profile photo of semgrepsemgrep
Author
46,010
Download Count*
LGPL Commons Clause
License

Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: weak-hashes-sha1
    message: Should not use SHA1 to generate hashes. There is a proven SHA1 hash
      collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3
      or other hashing functions instead.
    metadata:
      cwe:
        - "CWE-328: Use of Weak Hash"
      references:
        - https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
        - https://shattered.io/
      category: security
      technology:
        - ruby
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    languages:
      - ruby
    severity: WARNING
    pattern-either:
      - pattern: Digest::SHA1.$FUNC
      - pattern: OpenSSL::Digest::SHA1.$FUNC
      - pattern: OpenSSL::HMAC.$FUNC("sha1",...)

Examples

weak-hashes-sha1.rb

require 'digest'
class Bad_md5
    def bad_md5_code()
        # ruleid: weak-hashes-sha1
        sha = Digest::SHA1.hexdigest 'abc'
        # ruleid: weak-hashes-sha1
        sha = Digest::SHA1.new
        # ruleid: weak-hashes-sha1
        sha = Digest::SHA1.base64digest 'abc'
        # ruleid: weak-hashes-sha1
        sha = Digest::SHA1.digest 'abc'

        # ruleid: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA1.new
        # ruleid: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA1.hexdigest 'abc'
        # ruleid: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA1.new
        # ruleid: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA1.base64digest 'abc'
        # ruleid: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA1.digest 'abc'
        # ruleid: weak-hashes-sha1
        OpenSSL::HMAC.hexdigest("sha1", key, data)
        # ok: weak-hashes-sha1
        OpenSSL::HMAC.hexdigest("SHA256", key, data)
        # ok: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA256.new
        # ok: weak-hashes-sha1
        digest = OpenSSL::Digest::SHA256.hexdigest 'abc'
    end
end