Skip to content

001_0007 - HashAlgorithm

Hash algorithm

Set the app's hash algorithm (App Settings > Runtime) to BCrypt or SSHA256.

Metadata

authors:
- Bart Zantingh <bart.zantingh@nl.abnamro.com>
category: Security
input: Settings$ProjectSettings.yaml
related_resources:
- https://docs.mendix.com/refguide/security#hashing-algorithms
rulename: HashAlgorithm
rulenumber: '001_0007'
scope: package
severity: HIGH

Description

Hashs algorithms BCrypt and SSHA256 are considered to be the safest for data encryption.

Remediation

Set the app's hash algorithm (App Settings > Runtime) to BCrypt or SSHA256.

Test cases

package app.mendix.project_settings.hash_algorithm_test

import data.app.mendix.project_settings.hash_algorithm
import rego.v1

# Test data
bcrypt := {"Settings": {
    "$Type": "Settings$ModelSettings",
    "HashAlgorithm": "BCrypt",
}}

ssha256 := {"Settings": {
    "$Type": "Settings$ModelSettings",
    "HashAlgorithm": "SSHA256",
}}

sha256 := {"Settings": {
    "$Type": "Settings$ModelSettings",
    "HashAlgorithm": "SHA256",
}}

md5 := {"Settings": {
    "$Type": "Settings$ModelSettings",
    "HashAlgorithm": "MD5",
}}

# Test cases
test_should_allow_when_build_version_in_allowed_list if {
    hash_algorithm.allow with input as bcrypt
    hash_algorithm.allow with input as ssha256
}

test_should_deny_when_build_version_not_in_allowed_list if {
    not hash_algorithm.allow with input as sha256
    not hash_algorithm.allow with input as md5
}