Weak encryption library usage detected.
- Rule ID: ruby_lang_weak_encryption
- Languages: ruby
- Source: weak_encryption.yml
A weak encryption or hashing library can lead to data breaches and greater security risk. This rule checks for the use of weak encryption and hashing libraries or algorithms.
According to OWASP: MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.
❌ Avoid libraries and algorithms with known weaknesses:
Digest::SHA1.hexdigest 'weak password encryption'
Crypt::Blowfish.new("weak password encryption")
RC4.new("weak password encryption")
Digest::MD5.hexdigest 'unsecure string'
✅ Instead, we recommend using bcrypt: