Hashing data is security-sensitive. It has led in the past to the following vulnerabilities:

Cryptographic hash functions are used to uniquely identify information without storing their original form. When not done properly, an attacker can steal the original information by guessing it (ex: with a rainbow table), or replace the original data with another one having the same hash.

This rule flags code that initiates hashing.

Ask Yourself Whether

You are at risk if you answered yes to the first question and any of the following ones.

Recommended Secure Coding Practices

Questionable Code Example

// === Server side ===
const crypto = require("crypto");

const hash = crypto.createHash('sha1'); // Questionable regardless of algorithm used

crypto.scrypt(secret, salt, keylen, (err, derivedKey) => {}); // Questionable
const derivedKey = crypto.scryptSync(secret, salt, keylen); // Questionable
// === Client side ===
crypto.subtle.digest("SHA-256", buffer) // Questionable regardless of algorithm used
  .then(function (hash) {});

See