Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/hashlibInsecureFunctions.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/hashlibInsecureFunctions.py
- branch
- eric7
- changeset 11136
- 437db2f032fd
- parent 11090
- f5f5f5803935
- child 11147
- dee6e106b4d3
equal
deleted
inserted
replaced
| 11135:5af56f31c53f | 11136:437db2f032fd |
|---|---|
| 1 # -*- coding: utf-8 -*- | |
| 2 | |
| 3 # Copyright (c) 2020 - 2025 Detlev Offenbach <detlev@die-offenbachs.de> | |
| 4 # | |
| 5 | |
| 6 """ | |
| 7 Module implementing a check for use of insecure md4, md5, or sha1 hash | |
| 8 functions in hashlib. | |
| 9 """ | |
| 10 | |
| 11 from Security.SecurityDefaults import SecurityDefaults | |
| 12 | |
| 13 # | |
| 14 # This is a modified version of the one found in the bandit package. | |
| 15 # | |
| 16 # Original Copyright 2014 Hewlett-Packard Development Company, L.P. | |
| 17 # | |
| 18 # SPDX-License-Identifier: Apache-2.0 | |
| 19 # | |
| 20 | |
| 21 | |
| 22 def getChecks(): | |
| 23 """ | |
| 24 Public method to get a dictionary with checks handled by this module. | |
| 25 | |
| 26 @return dictionary containing checker lists containing checker function and | |
| 27 list of codes | |
| 28 @rtype dict | |
| 29 """ | |
| 30 return { | |
| 31 "Call": [ | |
| 32 (checkHashlib, ("S331", "S332")), | |
| 33 ], | |
| 34 } | |
| 35 | |
| 36 | |
| 37 def _hashlibFunc(reportError, context, func, config): | |
| 38 """ | |
| 39 Function to check for use of insecure md4, md5, or sha1 hash functions | |
| 40 in hashlib if 'usedforsecurity' is not set to 'False'. | |
| 41 | |
| 42 @param reportError function to be used to report errors | |
| 43 @type func | |
| 44 @param context security context object | |
| 45 @type SecurityContext | |
| 46 @param func name of the hash function | |
| 47 @type str | |
| 48 @param config dictionary with configuration data | |
| 49 @type dict | |
| 50 """ | |
| 51 insecureHashes = ( | |
| 52 [h.lower() for h in config["insecure_hashes"]] | |
| 53 if config and "insecure_hashes" in config | |
| 54 else SecurityDefaults["insecure_hashes"] | |
| 55 ) | |
| 56 | |
| 57 if isinstance(context.callFunctionNameQual, str): | |
| 58 keywords = context.callKeywords | |
| 59 | |
| 60 if func in insecureHashes: | |
| 61 if keywords.get("usedforsecurity", "True") == "True": | |
| 62 reportError( | |
| 63 context.node.lineno - 1, | |
| 64 context.node.col_offset, | |
| 65 "S332", | |
| 66 "H", | |
| 67 "H", | |
| 68 func.upper(), | |
| 69 ) | |
| 70 elif func == "new": | |
| 71 args = context.callArgs | |
| 72 name = args[0] if args else keywords.get("name") | |
| 73 if ( | |
| 74 isinstance(name, str) | |
| 75 and name.lower() in insecureHashes | |
| 76 and keywords.get("usedforsecurity", "True") == "True" | |
| 77 ): | |
| 78 reportError( | |
| 79 context.node.lineno - 1, | |
| 80 context.node.col_offset, | |
| 81 "S332", | |
| 82 "H", | |
| 83 "H", | |
| 84 name.upper(), | |
| 85 ) | |
| 86 | |
| 87 | |
| 88 def _cryptCrypt(reportError, context, func, config): | |
| 89 """ | |
| 90 Function to check for use of insecure md4, md5, sha or sha1 hash functions | |
| 91 in crypt.crypt(). | |
| 92 | |
| 93 @param reportError function to be used to report errors | |
| 94 @type func | |
| 95 @param context security context object | |
| 96 @type SecurityContext | |
| 97 @param func name of the hash function | |
| 98 @type str | |
| 99 @param config dictionary with configuration data | |
| 100 @type dict | |
| 101 """ | |
| 102 insecureHashes = ( | |
| 103 [h.lower() for h in config["insecure_hashes"]] | |
| 104 if config and "insecure_hashes" in config | |
| 105 else SecurityDefaults["insecure_hashes"] | |
| 106 ) | |
| 107 | |
| 108 args = context.callArgs | |
| 109 keywords = context.callKeywords | |
| 110 | |
| 111 if func == "crypt": | |
| 112 name = args[1] if len(args) > 1 else keywords.get("salt") | |
| 113 if isinstance(name, str) and name in insecureHashes: | |
| 114 reportError( | |
| 115 context.node.lineno - 1, | |
| 116 context.node.col_offset, | |
| 117 "S331", | |
| 118 "M", | |
| 119 "H", | |
| 120 name.upper(), | |
| 121 ) | |
| 122 | |
| 123 elif func == "mksalt": | |
| 124 name = args[0] if args else keywords.get("method") | |
| 125 if isinstance(name, str) and name in insecureHashes: | |
| 126 reportError( | |
| 127 context.node.lineno - 1, | |
| 128 context.node.col_offset, | |
| 129 "S331", | |
| 130 "M", | |
| 131 "H", | |
| 132 name.upper(), | |
| 133 ) | |
| 134 | |
| 135 | |
| 136 def checkHashlib(reportError, context, config): | |
| 137 """ | |
| 138 Function to check for use of insecure md4, md5, sha or sha1 hash functions | |
| 139 in hashlib.new(). | |
| 140 | |
| 141 @param reportError function to be used to report errors | |
| 142 @type func | |
| 143 @param context security context object | |
| 144 @type SecurityContext | |
| 145 @param config dictionary with configuration data | |
| 146 @type dict | |
| 147 """ | |
| 148 if isinstance(context.callFunctionNameQual, str): | |
| 149 qualnameList = context.callFunctionNameQual.split(".") | |
| 150 func = qualnameList[-1] | |
| 151 | |
| 152 if "hashlib" in qualnameList: | |
| 153 _hashlibFunc(reportError, context, func, config) | |
| 154 elif "crypt" in qualnameList and func in ("crypt", "mksalt"): | |
| 155 _cryptCrypt(reportError, context, func, config) |
