Usage of weak hashing library (MD5)

• Rule ID: ruby_lang_weak_hash_md
• Languages: ruby
• Source: weak_hash_md.yml

Description

Using a weak hashing library like MD5 increases the risk of data breaches. MD5 is vulnerable to collision attacks, where two different inputs produce the same output, compromising data integrity and security.

Remediations

• Do not use MD5 or other weak hash algorithms for hashing. These are not secure and can be easily compromised.

  Digest::MD5.hexdigest('weak hash') # unsafe

• Do use stronger hashing algorithms like bcrypt for securing data. Bcrypt is designed to be slow and computationally intensive, making it resistant to brute force attacks.

  BCrypt::Password.create('iLOVEdogs123')

References

• BCrypt Explained

Associated CWE

• CWE-328: Use of Weak Hash

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_hash_md

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_hash_md