Encryptors requires the use of a random 8-byte salt :: Recipe Details

Recipe Name:

Encryptors requires the use of a random 8-byte salt

Description:

The salt should be random, 8-bytes and in hex-encoded String

Level:

error

Language:

java

Tags:

Spring
security
framework specific
Spring Security

Documentation

Spring Security provides the KeyGenerators.string().generateKey() to generate a salt that is a random hex-encoded string that is at least 8 bytes in length. The importance of having a strong salt is to prevent dictionary attacks against the key.

Before

Encryptors.stronger(password, "salt");

After

Encryptors.stronger(password, KeyGenerators.string().generateKey());

References

Spring security crypto

Recipe

id: scw:spring:encryptors:salt
version: 10
metadata:
  name: Encryptors requires the use of a random 8-byte salt
  shortDescription: The salt should be random, 8-bytes and in hex-encoded String
  level: error
  language: java
  scwCategory: broken_cryptography:improper_use_of_cryptography_algorithm
  enabled: true
  descriptionFile: descriptions/Usearandom8bytesalt.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    args:
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: false
    name: stronger
    type: org.springframework.security.crypto.encrypt.Encryptors
availableFixes:
- name: Generate a hex-encoded, random 8-byte salt
  actions:
  - modifyArguments:
      rewrite:
        2: org.springframework.security.crypto.keygen.KeyGenerators.string().generateKey()