Recipe Name:
Encryptors requires the use of a random 8-byte salt
Description:
The salt should be random, 8-bytes and in hex-encoded String
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
Documentation

Spring Security provides the KeyGenerators.string().generateKey() to generate a salt that is a random hex-encoded string that is at least 8 bytes in length. The importance of having a strong salt is to prevent dictionary attacks against the key.

Before
Encryptors.stronger(password, "salt");
After
Encryptors.stronger(password, KeyGenerators.string().generateKey());
References
Recipe
id: scw:spring:encryptors:salt
version: 10
metadata:
  name: Encryptors requires the use of a random 8-byte salt
  shortDescription: The salt should be random, 8-bytes and in hex-encoded String
  level: error
  language: java
  scwCategory: broken_cryptography:improper_use_of_cryptography_algorithm
  enabled: true
  descriptionFile: descriptions/Usearandom8bytesalt.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    args:
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: false
    name: stronger
    type: org.springframework.security.crypto.encrypt.Encryptors
availableFixes:
- name: Generate a hex-encoded, random 8-byte salt
  actions:
  - modifyArguments:
      rewrite:
        2: org.springframework.security.crypto.keygen.KeyGenerators.string().generateKey()