[
https://issues.apache.org/jira/browse/ANY23-553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lewis John McGibbney updated ANY23-553:
---------------------------------------
Description:
Sonarcloud.io analysis has [identified a potential security
vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
with
[MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
I have reviewed usage of this method in the Any23 codebase and found that it is
used in one place for one purpose. It is only used in
[RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
To determine whether there is a risk we should ask three questions
If the hashed value is used in a security context like:
# User-password storage.
# Security token generation (used to confirm e-mail when registering on a
website, reset password, etc …).
# To compute some message integrity.
There is a risk if you answered yes to any of those questions.
I determine that all answers are no.
I therefore propose to augment the Javadoc with a warning and provide a unit
test to improve the test coverage.
was:
Sonarcloud.io analysis has [identified a potential security
vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
with
[MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
I have reviewed usage of this method in the Any23 codebase and found that it is
used in one place for one purpose. It is only used in
[RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
To determine whether there is a risk we should ask three questions
The hashed value is used in a security context like:
# User-password storage.
# Security token generation (used to confirm e-mail when registering on a
website, reset password, etc …).
# To compute some message integrity.
There is a risk if you answered yes to any of those questions.
I determine that all answers are no.
I therefore propose to augment the Javadoc with a warning and provide a unit
test to improve the test coverage.
> Document MathUtils#md5 to warn that the weak hash algorithm is not to be used
> in a sensitive context
> ----------------------------------------------------------------------------------------------------
>
> Key: ANY23-553
> URL: https://issues.apache.org/jira/browse/ANY23-553
> Project: Apache Any23
> Issue Type: Improvement
> Components: core, security
> Affects Versions: 2.6
> Reporter: Lewis John McGibbney
> Assignee: Lewis John McGibbney
> Priority: Major
> Fix For: 2.7
>
>
> Sonarcloud.io analysis has [identified a potential security
> vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
> with
> [MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
> I have reviewed usage of this method in the Any23 codebase and found that it
> is used in one place for one purpose. It is only used in
> [RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
>
> To determine whether there is a risk we should ask three questions
> If the hashed value is used in a security context like:
> # User-password storage.
> # Security token generation (used to confirm e-mail when registering on a
> website, reset password, etc …).
> # To compute some message integrity.
> There is a risk if you answered yes to any of those questions.
> I determine that all answers are no.
> I therefore propose to augment the Javadoc with a warning and provide a unit
> test to improve the test coverage.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
