16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Using ``++Integer.toHexString++`` is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of ``++0x4508++`` would be converted into ``++45++`` and ``++8++`` which once concatenated would give ``++0x458++``.
|
|
|
|
This is particularly damaging when converting hash-codes and could lead to a security vulnerability.
|
|
|
|
|
|
This rule raises an issue when ``++Integer.toHexString++`` is used in any kind of string concatenations.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(String.format("%02X", b));
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION[BAD_HEXA_CONVERSION]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use String.format( "%02X", ...) instead
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|