Mercurial Repositories > eric / annotate

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py@f904d0eef264 (annotated)

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py

Wed, 17 Jun 2020 20:18:54 +0200

author
Detlev Offenbach <detlev@die-offenbachs.de>
date
Wed, 17 Jun 2020 20:18:54 +0200
changeset 7628
f904d0eef264
parent 7622
384e2aa5c073
child 7923
91e843545d9a
permissions
-rw-r--r--

Checked the reported security related issue reports generated by the new security checker.

7622
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
1 # -*- coding: utf-8 -*-
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
2
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
3 # Copyright (c) 2020 Detlev Offenbach <detlev@die-offenbachs.de>
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
4 #
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
5
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
6 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
7 Module implementing checks for potentially hardcoded AWS passwords.
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
8 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
9
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
10 #
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
11 # This is a modified version of the one found at
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
12 # https://pypi.org/project/bandit-aws/.
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
13 #
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
14 # Original Copyright 2020 CMCRC (devcdt@cmcrc.com)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
15 #
7628
f904d0eef264 Checked the reported security related issue reports generated by the new security checker.
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 7622
diff changeset
16 # Original License: GPLv3
7622
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
17 #
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
18
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
19 from collections import Counter
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
20 import math
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
21 import re
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
22 import string
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
23
7628
f904d0eef264 Checked the reported security related issue reports generated by the new security checker.
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 7622
diff changeset
24
7622
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
25 def getChecks():
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
26 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
27 Public method to get a dictionary with checks handled by this module.
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
28
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
29 @return dictionary containing checker lists containing checker function and
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
30 list of codes
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
31 @rtype dict
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
32 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
33 return {
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
34 "Str": [
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
35 (checkHardcodedAwsKey, ("S801", "S802")),
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
36 ],
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
37 }
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
38
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
39 AWS_ACCESS_KEY_ID_SYMBOLS = string.ascii_uppercase + string.digits
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
40 AWS_ACCESS_KEY_ID_REGEX = re.compile(
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
41 '[' + AWS_ACCESS_KEY_ID_SYMBOLS + ']{20}'
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
42 )
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
43 AWS_ACCESS_KEY_ID_MAX_ENTROPY = 3
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
44
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
45 AWS_SECRET_ACCESS_KEY_SYMBOLS = string.ascii_letters + string.digits + '/+='
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
46 AWS_SECRET_ACCESS_KEY_REGEX = re.compile(
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
47 '[' + AWS_SECRET_ACCESS_KEY_SYMBOLS + ']{40}'
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
48 )
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
49 AWS_SECRET_ACCESS_KEY_MAX_ENTROPY = 4.5
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
50
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
51
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
52 def shannonEntropy(data, symbols):
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
53 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
54 Function to caclculate the Shannon entropy of some given data.
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
55
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
56 Source:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
57 http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
58
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
59 @param data data to calculate the entropy for
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
60 @type str
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
61 @param symbols allowed symbols
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
62 @type str
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
63 @return Shannon entropy of the given data
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
64 @rtype float
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
65 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
66 if not data:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
67 return 0
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
68 entropy = 0
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
69 counts = Counter(data)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
70 for x in symbols:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
71 p_x = float(counts[x]) / len(data)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
72 if p_x > 0:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
73 entropy += - p_x * math.log(p_x, 2)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
74 return entropy
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
75
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
76
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
77 def checkHardcodedAwsKey(reportError, context, config):
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
78 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
79 Function to check for potentially hardcoded AWS passwords.
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
80
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
81 @param reportError function to be used to report errors
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
82 @type func
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
83 @param context security context object
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
84 @type SecurityContext
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
85 @param config dictionary with configuration data
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
86 @type dict
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
87 """
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
88 node = context.node
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
89 if AWS_ACCESS_KEY_ID_REGEX.fullmatch(node.s):
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
90 entropy = shannonEntropy(node.s, AWS_ACCESS_KEY_ID_SYMBOLS)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
91 if entropy > AWS_ACCESS_KEY_ID_MAX_ENTROPY:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
92 reportError(
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
93 context.node.lineno - 1,
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
94 context.node.col_offset,
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
95 "S801",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
96 "L",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
97 "M",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
98 node.s
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
99 )
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
100
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
101 elif AWS_SECRET_ACCESS_KEY_REGEX.fullmatch(node.s):
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
102 entropy = shannonEntropy(node.s, AWS_SECRET_ACCESS_KEY_SYMBOLS)
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
103 if entropy > AWS_SECRET_ACCESS_KEY_MAX_ENTROPY:
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
104 reportError(
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
105 context.node.lineno - 1,
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
106 context.node.col_offset,
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
107 "S802",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
108 "M",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
109 "M",
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
110 node.s
384e2aa5c073 Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
111 )

Mercurial Repository: eric

eric ide

mercurial