rspec/rules/S4790/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
var hashProvider1 = new MD5CryptoServiceProvider(); // Sensitive
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); // Sensitive
var hashProvider3 = new SHA1Managed(); // Sensitive
var hashProvider4 = HashAlgorithm.Create("SHA1"); // Sensitive
----

== Compliant Solution

[source,csharp]
----
var hashProvider1 = new SHA512Managed(); // Compliant
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA512Managed"); // Compliant
var hashProvider3 = HashAlgorithm.Create("SHA512Managed"); // Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 16 Oct 2018, 10:52:49 Nicolas Harraudeau wrote:
*Implementation details*:

The example just gives a partial list of all the HashAlgorithm subclasses. See the full list https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.hashalgorithm?redirectedfrom=MSDN&view=netframework-4.7.2[here] (Follow the links in the "Derived" section, and each class has again subclasses). HashAlgorithm classes are created either via their constructor or with the ``++Create++`` static method.


Note that these classes exist for both .Net Framework and .Net Core.

See https://docs.microsoft.com/en-gb/dotnet/standard/security/ensuring-data-integrity-with-hash-codes[documentation] for more information.


*Why Highlight this*:

The class instantiation should be the start of any secure code review. We do not Highlight later references to HashAlgorithm instances as it would create too many issues.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]