Incorrect Type Conversion or Cast

scala.strings.scala_strings_rule_badhexconversion

Severity

low

Resource

Strings

Language

Scala

Description

When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte.

Rationale

When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte.

The following code illustrates a vulnerable pattern detected by this rule:

def danger(text: String) = {
  val md: MessageDigest = MessageDigest.getInstance("SHA-256")
  // VULNERABLE: Incorrect Type Conversion or Cast
  val resultBytes = md.digest(text.getBytes("UTF-8"))
  val stringBuilder = new StringBuilder
  for (b <- resultBytes) {
    stringBuilder.append(Integer.toHexString(b))
  }
  stringBuilder.toString
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-704
OWASP Top 10 2021 - A03 : Injection.