Mercurial Repositories > eric / annotate
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py@d1c6608155ef (annotated)
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py
Tue, 16 Jan 2024 18:24:06 +0100
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Tue, 16 Jan 2024 18:24:06 +0100
- branch
- eric7
- changeset 10507
- d1c6608155ef
- parent 10439
- 21c28b0f9e41
- child 11090
- f5f5f5803935
- permissions
- -rw-r--r--
Code Style Checker
- Updated the 'Security' checkers to support more cases.
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
1 | # -*- coding: utf-8 -*- |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
2 | |
|
10439
21c28b0f9e41
Updated copyright for 2024.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10050
diff
changeset
|
3 | # Copyright (c) 2020 - 2024 Detlev Offenbach <detlev@die-offenbachs.de> |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
4 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
5 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
6 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
7 | Module implementing a check for use of insecure md4, md5, or sha1 hash |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
8 | functions in hashlib.new(). |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
9 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
10 | |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
11 | import sys |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
12 | |
|
9473
3f23dbf37dbe
Resorted the import statements using isort.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9325
diff
changeset
|
13 | from Security.SecurityDefaults import SecurityDefaults |
|
3f23dbf37dbe
Resorted the import statements using isort.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9325
diff
changeset
|
14 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
15 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
16 | # This is a modified version of the one found in the bandit package. |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
17 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
18 | # Original Copyright 2014 Hewlett-Packard Development Company, L.P. |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
19 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
20 | # SPDX-License-Identifier: Apache-2.0 |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
21 | # |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
22 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
23 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
24 | def getChecks(): |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
25 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
26 | Public method to get a dictionary with checks handled by this module. |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
27 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
28 | @return dictionary containing checker lists containing checker function and |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
29 | list of codes |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
30 | @rtype dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
31 | """ |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
32 | return { |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
33 | "Call": [ |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
34 | (checkHashlib, ("S331",)), |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
35 | ], |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
36 | } |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
37 | |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
38 | |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
39 | def _hashlibFunc(reportError, context, func, config): |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
40 | """ |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
41 | Function to check for use of insecure md4, md5, sha or sha1 hash functions |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
42 | in hashlib.new() if 'usedforsecurity' is not set to 'False'. |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
43 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
44 | @param reportError function to be used to report errors |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
45 | @type func |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
46 | @param context security context object |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
47 | @type SecurityContext |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
48 | @param func name of the hash function |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
49 | @type str |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
50 | @param config dictionary with configuration data |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
51 | @type dict |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
52 | """ |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
53 | insecureHashes = ( |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
54 | [h.lower() for h in config["insecure_hashes"]] |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
55 | if config and "insecure_hashes" in config |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
56 | else SecurityDefaults["insecure_hashes"] |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
57 | ) |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
58 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
59 | if isinstance(context.callFunctionNameQual, str): |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
60 | keywords = context.callKeywords |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
61 | |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
62 | if func in insecureHashes: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
63 | if keywords.get("usedforsecurity", "True") == "True": |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
64 | reportError( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
65 | context.node.lineno - 1, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
66 | context.node.col_offset, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
67 | "S332", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
68 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
69 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
70 | func.upper(), |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
71 | ) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
72 | elif func == "new": |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
73 | args = context.callArgs |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
74 | name = args[0] if args else keywords.get("name") |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
75 | if ( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
76 | isinstance(name, str) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
77 | and name.lower() in insecureHashes |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
78 | and keywords.get("usedforsecurity", "True") == "True" |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
79 | ): |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
80 | reportError( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
81 | context.node.lineno - 1, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
82 | context.node.col_offset, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
83 | "S332", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
84 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
85 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
86 | name.upper(), |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
87 | ) |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
88 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
89 | |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
90 | def _hashlibNew(reportError, context, func, config): |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
91 | """ |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
92 | Function to check for use of insecure md4, md5, sha or sha1 hash functions |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
93 | in hashlib.new(). |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
94 | |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
95 | @param reportError function to be used to report errors |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
96 | @type func |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
97 | @param context security context object |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
98 | @type SecurityContext |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
99 | @param func name of the hash function |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
100 | @type str |
|
7614
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
101 | @param config dictionary with configuration data |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
102 | @type dict |
|
646742c260bd
Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
103 | """ |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
104 | insecureHashes = ( |
|
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
105 | [h.lower() for h in config["insecure_hashes"]] |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
106 | if config and "insecure_hashes" in config |
|
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
107 | else SecurityDefaults["insecure_hashes"] |
|
8259
2bbec88047dd
Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
7923
diff
changeset
|
108 | ) |
|
9221
bf71ee032bb4
Reformatted the source code using the 'Black' utility.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9209
diff
changeset
|
109 | |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
110 | if func == "new": |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
111 | args = context.callArgs |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
112 | keywords = context.callKeywords |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
113 | name = args[0] if args else keywords.get("name") |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
114 | if isinstance(name, str) and name.lower() in insecureHashes: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
115 | reportError( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
116 | context.node.lineno - 1, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
117 | context.node.col_offset, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
118 | "S331", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
119 | "M", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
120 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
121 | name.upper(), |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
122 | ) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
123 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
124 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
125 | def _cryptCrypt(reportError, context, func, config): |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
126 | """ |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
127 | Function to check for use of insecure md4, md5, sha or sha1 hash functions |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
128 | in crypt.crypt(). |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
129 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
130 | @param reportError function to be used to report errors |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
131 | @type func |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
132 | @param context security context object |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
133 | @type SecurityContext |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
134 | @param func name of the hash function |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
135 | @type str |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
136 | @param config dictionary with configuration data |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
137 | @type dict |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
138 | """ |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
139 | insecureHashes = ( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
140 | [h.lower() for h in config["insecure_hashes"]] |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
141 | if config and "insecure_hashes" in config |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
142 | else SecurityDefaults["insecure_hashes"] |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
143 | ) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
144 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
145 | args = context.callArgs |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
146 | keywords = context.callKeywords |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
147 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
148 | if func == "crypt": |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
149 | name = args[1] if len(args) > 1 else keywords.get("salt") |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
150 | if isinstance(name, str) and name in insecureHashes: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
151 | reportError( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
152 | context.node.lineno - 1, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
153 | context.node.col_offset, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
154 | "S331", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
155 | "M", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
156 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
157 | name.upper(), |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
158 | ) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
159 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
160 | elif func == "mksalt": |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
161 | name = args[0] if args else keywords.get("method") |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
162 | if isinstance(name, str) and name in insecureHashes: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
163 | reportError( |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
164 | context.node.lineno - 1, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
165 | context.node.col_offset, |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
166 | "S331", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
167 | "M", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
168 | "H", |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
169 | name.upper(), |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
170 | ) |
|
9325
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
171 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
172 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
173 | def checkHashlib(reportError, context, config): |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
174 | """ |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
175 | Function to check for use of insecure md4, md5, sha or sha1 hash functions |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
176 | in hashlib.new(). |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
177 | |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
178 | @param reportError function to be used to report errors |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
179 | @type func |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
180 | @param context security context object |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
181 | @type SecurityContext |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
182 | @param config dictionary with configuration data |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
183 | @type dict |
|
8157eb19aba5
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
9221
diff
changeset
|
184 | """ |
|
10507
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
185 | if isinstance(context.callFunctionNameQual, str): |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
186 | qualnameList = context.callFunctionNameQual.split(".") |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
187 | func = qualnameList[-1] |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
188 | |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
189 | if "hashlib" in qualnameList: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
190 | if sys.version_info >= (3, 9): |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
191 | _hashlibFunc(reportError, context, func, config) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
192 | else: |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
193 | _hashlibNew(reportError, context, func, config) |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
194 | elif "crypt" in qualnameList and func in ("crypt", "mksalt"): |
|
d1c6608155ef
Code Style Checker
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
10439
diff
changeset
|
195 | _cryptCrypt(reportError, context, func, config) |
