Mercurial Repositories > eric / file comparison
comparison: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py
- changeset 7622
- 384e2aa5c073
- child 7628
- f904d0eef264
equal
deleted
inserted
replaced
| 7621:ffd1f00ca376 | 7622:384e2aa5c073 |
|---|---|
| 1 # -*- coding: utf-8 -*- | |
| 2 | |
| 3 # Copyright (c) 2020 Detlev Offenbach <detlev@die-offenbachs.de> | |
| 4 # | |
| 5 | |
| 6 """ | |
| 7 Module implementing checks for potentially hardcoded AWS passwords. | |
| 8 """ | |
| 9 | |
| 10 # | |
| 11 # This is a modified version of the one found at | |
| 12 # https://pypi.org/project/bandit-aws/. | |
| 13 # | |
| 14 # Original Copyright 2020 CMCRC (devcdt@cmcrc.com) | |
| 15 # | |
| 16 # License: GPLv3 | |
| 17 # | |
| 18 | |
| 19 from collections import Counter | |
| 20 import math | |
| 21 import re | |
| 22 import string | |
| 23 | |
| 24 def getChecks(): | |
| 25 """ | |
| 26 Public method to get a dictionary with checks handled by this module. | |
| 27 | |
| 28 @return dictionary containing checker lists containing checker function and | |
| 29 list of codes | |
| 30 @rtype dict | |
| 31 """ | |
| 32 return { | |
| 33 "Str": [ | |
| 34 (checkHardcodedAwsKey, ("S801", "S802")), | |
| 35 ], | |
| 36 } | |
| 37 | |
| 38 AWS_ACCESS_KEY_ID_SYMBOLS = string.ascii_uppercase + string.digits | |
| 39 AWS_ACCESS_KEY_ID_REGEX = re.compile( | |
| 40 '[' + AWS_ACCESS_KEY_ID_SYMBOLS + ']{20}' | |
| 41 ) | |
| 42 AWS_ACCESS_KEY_ID_MAX_ENTROPY = 3 | |
| 43 | |
| 44 AWS_SECRET_ACCESS_KEY_SYMBOLS = string.ascii_letters + string.digits + '/+=' | |
| 45 AWS_SECRET_ACCESS_KEY_REGEX = re.compile( | |
| 46 '[' + AWS_SECRET_ACCESS_KEY_SYMBOLS + ']{40}' | |
| 47 ) | |
| 48 AWS_SECRET_ACCESS_KEY_MAX_ENTROPY = 4.5 | |
| 49 | |
| 50 | |
| 51 def shannonEntropy(data, symbols): | |
| 52 """ | |
| 53 Function to caclculate the Shannon entropy of some given data. | |
| 54 | |
| 55 Source: | |
| 56 http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html | |
| 57 | |
| 58 @param data data to calculate the entropy for | |
| 59 @type str | |
| 60 @param symbols allowed symbols | |
| 61 @type str | |
| 62 @return Shannon entropy of the given data | |
| 63 @rtype float | |
| 64 """ | |
| 65 if not data: | |
| 66 return 0 | |
| 67 entropy = 0 | |
| 68 counts = Counter(data) | |
| 69 for x in symbols: | |
| 70 p_x = float(counts[x]) / len(data) | |
| 71 if p_x > 0: | |
| 72 entropy += - p_x * math.log(p_x, 2) | |
| 73 return entropy | |
| 74 | |
| 75 | |
| 76 def checkHardcodedAwsKey(reportError, context, config): | |
| 77 """ | |
| 78 Function to check for potentially hardcoded AWS passwords. | |
| 79 | |
| 80 @param reportError function to be used to report errors | |
| 81 @type func | |
| 82 @param context security context object | |
| 83 @type SecurityContext | |
| 84 @param config dictionary with configuration data | |
| 85 @type dict | |
| 86 """ | |
| 87 node = context.node | |
| 88 if AWS_ACCESS_KEY_ID_REGEX.fullmatch(node.s): | |
| 89 entropy = shannonEntropy(node.s, AWS_ACCESS_KEY_ID_SYMBOLS) | |
| 90 if entropy > AWS_ACCESS_KEY_ID_MAX_ENTROPY: | |
| 91 reportError( | |
| 92 context.node.lineno - 1, | |
| 93 context.node.col_offset, | |
| 94 "S801", | |
| 95 "L", | |
| 96 "M", | |
| 97 node.s | |
| 98 ) | |
| 99 | |
| 100 elif AWS_SECRET_ACCESS_KEY_REGEX.fullmatch(node.s): | |
| 101 entropy = shannonEntropy(node.s, AWS_SECRET_ACCESS_KEY_SYMBOLS) | |
| 102 if entropy > AWS_SECRET_ACCESS_KEY_MAX_ENTROPY: | |
| 103 reportError( | |
| 104 context.node.lineno - 1, | |
| 105 context.node.col_offset, | |
| 106 "S802", | |
| 107 "M", | |
| 108 "M", | |
| 109 node.s | |
| 110 ) |
