Odd hash.Sum call flow

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: go-security/hashsum

Language: Go

Severity: Error

Category: Error Prone

Description

When you use a hash function that implements hash.Hash, you need to use Write() to provide the data before calling Sum().

// Correct usage of hash.Hash
h := sha256.New()
h.Write(data)
sum := h.Sum(nil)
// 'sum' contains the SHA256 sum of 'data'

Since the Sum() member function takes a byte array as an argument, it is a common mistake to believe that this argument contains the data to be hashed. In reality, this argument contains some data to which the hash will be appended.

// Incorrect usage of hash.Hash
h := sha256.New()
sum := h.Sum(data)
// wrong: 'sum' contains 'data' followed by the SHA256 sum of an empty string

This rule detects these erroneous usages of hash.Hash.

Non-Compliant Code Examples

import "crypto/sha256"

func main() {
    out := make([]byte, 64)
    h := sha256.New()
    hashed := h.Sum(out)

    hashed := sha256.New().Sum(out)
}

Compliant Code Examples

import "crypto/sha256"

func main() {
    arr := []byte{1, 2, 3}
    out := make([]byte, 64)
    h := sha256.New()
    h.Write(arr)
    hashed := h.Sum(out)

    h2 := sha256.New()
    hashArr(h2, arr)
    hashed2 := h2.Sum(out)
}

func hashArr(h hash.Hash, b []byte) {
    h.Write(b)
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security