36 lines
1.3 KiB
Plaintext
36 lines
1.3 KiB
Plaintext
Using ``++Integer.toHexString++`` is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of ``++0x4508++`` would be converted into ``++45++`` and ``++8++`` which once concatenated would give ``++0x458++``.
|
|
|
|
This is particularly damaging when converting hash-codes and could lead to a security vulnerability.
|
|
|
|
|
|
This rule raises an issue when ``++Integer.toHexString++`` is used in any kind of string concatenations.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(String.format("%02X", b));
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* http://cwe.mitre.org/data/definitions/704.html[MITRE, CWE-704] - Incorrect Type Conversion or Cast
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION[BAD_HEXA_CONVERSION]
|