Weak Cryptographic Hash: Missing Required Step

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.

Apache License 2.0

151 stars 135 forks source link

Weak Cryptographic Hash: Missing Required Step #196

Closed QiAnXinCodeSafe closed 4 years ago

QiAnXinCodeSafe commented 4 years ago

https://github.com/SAP/cloud-security-xsuaa-integration/blob/c426e8dfa3cef9406364cfe4413189767d09dd2a/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/TokenBrokerResolver.java#L244-L248 The code misses invoking a required step during the process of generating a cryptographic hash.

nenaraab commented 4 years ago

hi @QiAnXinCodeSafe,

what would be your proposal? I think in this context it is uncritical, as we need to generate a unique key for the cache, which itself is private.

Best regards

nenaraab commented 4 years ago

close due to inactivity. Do not hesitate to re-open again... Thanks!