Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms :: Recipe Details

Recipe Name:

Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms

Description:

Could lead to data exposure

Level:

error

Language:

java

Tags:

security
framework specific
Spring
Spring Security

Documentation

Passwords should be hashed using strong algorithms, such as the BCryptPasswordEncoder.

Before

ShaPasswordEncoder passwordEncoder = new ShaPasswordEncoder();

After

BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

Resources

Owasp Cheat sheet: Password Storage - bcrypt

Recipe

id: scw:spring:security:hash-passwords-assignments
version: 10
metadata:
  name: 'Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms'
  shortDescription: Could lead to data exposure
  level: error
  language: java
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: descriptions/DataProtectionSecureDataStorageAvoidDataExposureHashpasswordsusingstronghashingalgorithms_assignments.html
  tags: security;framework specific;Spring;Spring Security
search:
  assignment:
    variableType:
      reference:
        matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
      checkInheritance: false
    expression:
      instanceCreation:
        type:
          reference:
            matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
          checkInheritance: false
availableFixes:
- name: Encode with BCrypt
  actions:
  - changeType:
      type: org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
      target: variable
  - rewrite:
      to: new BCryptPasswordEncoder()
      target: assignedExpression