Using Integer.toHexString
is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem
is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of 0x4508
would be converted
into 45
and 8
which once concatenated would give 0x458
.
This is particularly damaging when converting hash-codes and could lead to a security vulnerability.
This rule raises an issue when Integer.toHexString
is used in any kind of string concatenations.
MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] bytes = md.digest(password.getBytes("UTF-8")); StringBuilder sb = new StringBuilder(); for (byte b : bytes) { sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant }
MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] bytes = md.digest(password.getBytes("UTF-8")); StringBuilder sb = new StringBuilder(); for (byte b : bytes) { sb.append(String.format("%02X", b)); }