Usage of weak hashing library (MD5)
- Rule ID: ruby_lang_weak_hash_md
- Languages: ruby
- Source: weak_hash_md.yml
Description
Using a weak hashing library like MD5 increases the risk of data breaches. MD5 is vulnerable to collision attacks, where two different inputs produce the same output, compromising data integrity and security.
Remediations
- Do not use MD5 or other weak hash algorithms for hashing. These are not secure and can be easily compromised.
Digest::MD5.hexdigest('weak hash') # unsafe
- Do use stronger hashing algorithms like bcrypt for securing data. Bcrypt is designed to be slow and computationally intensive, making it resistant to brute force attacks.
BCrypt::Password.create('iLOVEdogs123')
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_hash_md
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_hash_md