Skip to content

Instantly share code, notes, and snippets.

@misterAnderson90

misterAnderson90/MPV-Remote02.md Secret

Last active May 30, 2022 23:04
Show Gist options
  • Save misterAnderson90/0479965ca0be5438025ba9668e4f357b to your computer and use it in GitHub Desktop.
Save misterAnderson90/0479965ca0be5438025ba9668e4f357b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
MPV-Remote02.md

CogniCrypt (report 2) for mpv-remote

  • Class: miccah.mpvremote.HMAC

  • Method: digest

  • Line: 29

  • Issue details: ConstraintError-1

    • ConstraintError violating CrySL rule for javax.crypto.Mac.

    • First parameter (with value \HmacMD5) should be any of {HmacSHA256, HmacSHA384, HmacSHA512, HmacPBESHA1, PBEWithHmacSHA1, PBEWithHmacSHA224, PBEWithHmacSHA256, PBEWithHmacSHA384, PBEWithHmacSHA512}.

Code

 public String digest() {
      String digest = null;
      try {
          SecretKeySpec key = new SecretKeySpec(
                  keyString.getBytes("UTF-8"), algorithm);
          Mac mac = Mac.getInstance(algorithm);
          mac.init(key);

          byte[] bytes = mac.doFinal(message.getBytes("UTF-8"));

          StringBuffer hash = new StringBuffer();
          for (int i = 0; i < bytes.length; i++) {
              String hex = Integer.toHexString(0xFF & bytes[i]);
              if (hex.length() == 1) {
                  hash.append('0');
              }
              hash.append(hex);
          }
          digest = hash.toString();
      } catch (Exception e) {}
      return digest;
  }

Questions

  1. How likely might this warning reveal a security threat to this app?

  2. Are you likely to accept a patch that fixes this particular issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment