• Home
• org.sonarsource.java
• sonar-java-plugin
• 8.8.0.37665
• source code
• S4425.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.java.S4425.html Maven / Gradle / Ivy

Why is this an issue?
Using Integer.toHexString is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem
is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of 0x4508 would be converted
into 45 and 8 which once concatenated would give 0x458.
This is particularly damaging when converting hash-codes and could lead to a security vulnerability.
This rule raises an issue when Integer.toHexString is used in any kind of string concatenations.
Noncompliant code example
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] bytes = md.digest(password.getBytes("UTF-8"));

StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
    sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant
}

Compliant solution
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] bytes = md.digest(password.getBytes("UTF-8"));

StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
    sb.append(String.format("%02X", b));
}

Resources

  
 CWE - CWE-704 - Incorrect Type Conversion or Cast 
  
 Derived from FindSecBugs rule BAD_HEXA_CONVERSION