[jira] [Commented] (ANY23-553) Document MathUtils#md5 to warn that the weak hash algorithm is not to be used in a sensitive context

Wed, 05 Jan 2022 11:47:34 -0800 


    [ 
https://issues.apache.org/jira/browse/ANY23-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469520#comment-17469520
 ] 

Hudson commented on ANY23-553:
------------------------------

SUCCESS: Integrated in Jenkins build Any23 » any23-master #55 (See 
[https://ci-builds.apache.org/job/Any23/job/any23-master/55/])
ANY23-553 Document MathUtils#md5 to warn that the weak hash algorithm is not to 
be used in a sensitive context (#242) (github: 
[https://github.com/apache/any23/commit/e0899300dcbb4d1446e68eee45a3d8019c5aca0f])
* (edit) pom.xml
* (edit) core/src/main/java/org/apache/any23/util/MathUtils.java
* (edit) core/src/main/java/org/apache/any23/rdf/RDFUtils.java
* (add) core/src/test/java/org/apache/any23/util/MathUtilsTest.java


> Document MathUtils#md5 to warn that the weak hash algorithm is not to be used 
> in a sensitive context
> ----------------------------------------------------------------------------------------------------
>
>                 Key: ANY23-553
>                 URL: https://issues.apache.org/jira/browse/ANY23-553
>             Project: Apache Any23
>          Issue Type: Improvement
>          Components: core, security
>    Affects Versions: 2.6
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Major
>             Fix For: 2.7
>
>
> Sonarcloud.io analysis has [identified a potential security 
> vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk]
>  with 
> [MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
> I have reviewed usage of this method in the Any23 codebase and found that it 
> is used in one place for one purpose. It is only used in 
> [RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386].
>  
> To determine whether there is a risk we should ask three questions
> If the hashed value is used in a security context like:
> # User-password storage.
> # Security token generation (used to confirm e-mail when registering on a 
> website, reset password, etc …​).
> # To compute some message integrity.
> There is a risk if you answered yes to any of those questions.
> I determine that all answers are no.
> I therefore propose to augment the Javadoc with a warning and provide a unit 
> test to improve the test coverage.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to