Incorrect Type Conversion or Cast
Description
When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte.
Examples
Insecure Code
scala
byte[] bArr = MessageDigest.getInstance("SHA-256").digest();
for (byte b : bArr) {
String hexString = Integer.toHexString(b);
}Secure Code
scala
byte[] bArr = MessageDigest.getInstance("SHA-256").digest();
String hexString = java.util.HexFormat.of().formatHex(bArr);Remediation
Use a proper method to convert the byte array to a hexadecimal string, such as java.util.HexFormat.of().formatHex() or javax.xml.bind.DatatypeConverter.printHexBinary().
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0069 |
| Category | Generic |
| Severity | MEDIUM |
| CWE | CWE-704 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | hash signature, type conversion |
| OWASP | N/A |