56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Using ``++Integer.toHexString++`` is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of ``++0x4508++`` would be converted into ``++45++`` and ``++8++`` which once concatenated would give ``++0x458++``.
|
|
|
|
This is particularly damaging when converting hash-codes and could lead to a security vulnerability.
|
|
|
|
|
|
This rule raises an issue when ``++Integer.toHexString++`` is used in any kind of string concatenations.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
|
byte[] bytes = md.digest(password.getBytes("UTF-8"));
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (byte b : bytes) {
|
|
sb.append(String.format("%02X", b));
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast]
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION[BAD_HEXA_CONVERSION]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use String.format( "%02X", ...) instead
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|