Sensei Logo Sensei Hub

Recipe - Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms

Description:
Could lead to data exposure
Level:
error
Language:
  • java
Tags:
  • security
  • framework specific
  • Spring
  • Spring Security
Documentation

Passwords should be hashed using strong algorithms, such as the BCryptPasswordEncoder.

Before
ShaPasswordEncoder passwordEncoder = new ShaPasswordEncoder();
After
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
Resources
Recipe
id: scw:spring:security:hash-passwords-assignments
version: 10
metadata:
  name: 'Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms'
  shortDescription: Could lead to data exposure
  level: error
  language: java
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: descriptions/DataProtectionSecureDataStorageAvoidDataExposureHashpasswordsusingstronghashingalgorithms_assignments.html
  tags: security;framework specific;Spring;Spring Security
search:
  assignment:
    variableType:
      reference:
        matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
      checkInheritance: false
    expression:
      instanceCreation:
        type:
          reference:
            matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
          checkInheritance: false
availableFixes:
- name: Encode with BCrypt
  actions:
  - changeType:
      type: org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
      target: variable
  - rewrite:
      to: new BCryptPasswordEncoder()
      target: assignedExpression