Usage of bad hex conversion on digest array

Overview

Rule ID: java_lang_bad_hex_conversion
Applicable Languages: Java
Weakness ID: CWE-704

Description

Your application uses Integer.toHexString to convert a digest array buffer into a hexadecimal string, potentially leading to incorrect representations.

Risks

Using Integer.toHexString for converting a digest array buffer to a hexadecimal string can result in incorrect formatting or data loss, leading to potential security vulnerabilities. This misrepresentation may compromise data integrity and affect cryptographic functions relying on accurate digest values.

Remediation Guidelines

Do not use Integer.toHexString for converting digest arrays to hexadecimal strings due to the risk of inaccuracies.
```
String hexString = Integer.toHexString(byteValue); // unsafe
```

Instead, use java.util.HexFormat for accurate hexadecimal conversion in Java 17 and above:

MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256");
sha256Digest.update("hello world".getBytes(StandardCharsets.UTF_8));
byte[] output = sha256Digest.digest();

HexFormat hex = HexFormat.of();
String hexString = hex.formatHex(output);

For Java versions prior to 17, consider using javax.xml.bind.DatatypeConverter.printHexBinary as an alternative for accurate hex conversion.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized User Input in XPath NextUsage of CBC (Cipher Block Chaining) Mode with Padding

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRisks

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration