Lewis John McGibbney created ANY23-553:
------------------------------------------
Summary: Document MathUtils#md5 to warn that the weak hash
algorithm is not to be used in a sensitive context
Key: ANY23-553
URL: https://issues.apache.org/jira/browse/ANY23-553
Project: Apache Any23
Issue Type: Improvement
Components: core, security
Affects Versions: 2.6
Reporter: Lewis John McGibbney
Assignee: Lewis John McGibbney
Fix For: 2.7
Sonarcloud.io analysis has [identified a potential security
vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
with
[MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
I have reviewed usage of this method in the Any23 codebase and found that it is
used in one place for one purpose. It is only used in
[RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
To determine whether there is a risk we should ask three questions
The hashed value is used in a security context like:
# User-password storage.
# Security token generation (used to confirm e-mail when registering on a
website, reset password, etc …).
# To compute some message integrity.
There is a risk if you answered yes to any of those questions.
I determine that all answers are no.
I therefore propose to augment the Javadoc with a warning and provide a unit
test to improve the test coverage.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
