rust.lang.security.insecure-hashes.insecure-hashes

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected cryptographically insecure hashing function

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-hashes
    message: Detected cryptographically insecure hashing function
    pattern-either:
      - pattern: md2::Md2::new(...)
      - pattern: md4::Md4::new(...)
      - pattern: md5::Md5::new(...)
      - pattern: sha1::Sha1::new(...)
    metadata:
      references:
        - https://github.com/RustCrypto/hashes
        - https://docs.rs/md2/latest/md2/
        - https://docs.rs/md4/latest/md4/
        - https://docs.rs/md5/latest/md5/
        - https://docs.rs/sha-1/latest/sha1/
      technology:
        - rust
      category: security
      cwe: "CWE-328: Use of Weak Hash"
      confidence: HIGH
      likelihood: LOW
      impact: MEDIUM
      subcategory: audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    languages:
      - rust
    severity: WARNING

Examples

insecure-hashes.rs

use md2::{Md2};
use md4::{Md4};
use md5::{Md5};
use sha1::{Sha1};
use sha2::{Sha256};

// ruleid: insecure-hashes
let mut hasher = Md2::new();

// ruleid: insecure-hashes
let mut hasher = Md4::new();

// ruleid: insecure-hashes
let mut hasher = Md5::new();

// ruleid: insecure-hashes
let mut hasher = Sha1::new();

// ok: insecure-hashes
let mut hasher = Sha256::new();