[jira] [Commented] (ANY23-553) Document MathUtils#md5 to warn that the weak hash algorithm is not to be used in a sensitive context

Mon, 03 Jan 2022 17:45:04 -0800 


    [ 
https://issues.apache.org/jira/browse/ANY23-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468307#comment-17468307
 ] 

ASF GitHub Bot commented on ANY23-553:
--------------------------------------

lewismc opened a new pull request #242:
URL: https://github.com/apache/any23/pull/242


   This issue addresses https://issues.apache.org/jira/browse/ANY23-553
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@any23.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Document MathUtils#md5 to warn that the weak hash algorithm is not to be used 
> in a sensitive context
> ----------------------------------------------------------------------------------------------------
>
>                 Key: ANY23-553
>                 URL: https://issues.apache.org/jira/browse/ANY23-553
>             Project: Apache Any23
>          Issue Type: Improvement
>          Components: core, security
>    Affects Versions: 2.6
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Major
>             Fix For: 2.7
>
>
> Sonarcloud.io analysis has [identified a potential security 
> vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
>  with 
> [MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
> I have reviewed usage of this method in the Any23 codebase and found that it 
> is used in one place for one purpose. It is only used in 
> [RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
>  
> To determine whether there is a risk we should ask three questions
> The hashed value is used in a security context like:
> # User-password storage.
> # Security token generation (used to confirm e-mail when registering on a 
> website, reset password, etc …​).
> # To compute some message integrity.
> There is a risk if you answered yes to any of those questions.
> I determine that all answers are no.
> I therefore propose to augment the Javadoc with a warning and provide a unit 
> test to improve the test coverage.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to