Usage of bad hex conversion on digest array

Overview

• Rule ID: java_lang_bad_hex_conversion

• Applicable Languages: Java

• Weakness ID: CWE-704

Description

Your application uses Integer.toHexString to convert a digest array buffer into a hexadecimal string, potentially leading to incorrect representations.

Risks

• Using Integer.toHexString for converting a digest array buffer to a hexadecimal string can result in incorrect formatting or data loss, leading to potential security vulnerabilities. This misrepresentation may compromise data integrity and affect cryptographic functions relying on accurate digest values.

Remediation Guidelines

• Do not use Integer.toHexString for converting digest arrays to hexadecimal strings due to the risk of inaccuracies.

  Copy

  String hexString = Integer.toHexString(byteValue); // unsafe
  

• Instead, use java.util.HexFormat for accurate hexadecimal conversion in Java 17 and above:

  Copy

  MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256");
  sha256Digest.update("hello world".getBytes(StandardCharsets.UTF_8));
  byte[] output = sha256Digest.digest();
  
  HexFormat hex = HexFormat.of();
  String hexString = hex.formatHex(output);
  

• For Java versions prior to 17, consider using javax.xml.bind.DatatypeConverter.printHexBinary as an alternative for accurate hex conversion.

References

• DatatypeConverter

• CWE-704: Incorrect Type Conversion or Cast

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL