Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py
- branch
- eric7
- changeset 9325
- 8157eb19aba5
- parent 9221
- bf71ee032bb4
- child 9473
- 3f23dbf37dbe
equal
deleted
inserted
replaced
| 9324:7f7f3e47b238 | 9325:8157eb19aba5 |
|---|---|
| 5 | 5 |
| 6 """ | 6 """ |
| 7 Module implementing a check for use of insecure md4, md5, or sha1 hash | 7 Module implementing a check for use of insecure md4, md5, or sha1 hash |
| 8 functions in hashlib.new(). | 8 functions in hashlib.new(). |
| 9 """ | 9 """ |
| 10 | |
| 11 import sys | |
| 10 | 12 |
| 11 # | 13 # |
| 12 # This is a modified version of the one found in the bandit package. | 14 # This is a modified version of the one found in the bandit package. |
| 13 # | 15 # |
| 14 # Original Copyright 2014 Hewlett-Packard Development Company, L.P. | 16 # Original Copyright 2014 Hewlett-Packard Development Company, L.P. |
| 27 list of codes | 29 list of codes |
| 28 @rtype dict | 30 @rtype dict |
| 29 """ | 31 """ |
| 30 return { | 32 return { |
| 31 "Call": [ | 33 "Call": [ |
| 32 (checkHashlibNew, ("S331",)), | 34 (checkHashlib, ("S331",)), |
| 33 ], | 35 ], |
| 34 } | 36 } |
| 35 | 37 |
| 36 | 38 |
| 37 def checkHashlibNew(reportError, context, config): | 39 def _hashlibFunc(reportError, context, config): |
| 38 """ | 40 """ |
| 39 Function to check for use of insecure md4, md5, or sha1 hash functions | 41 Function to check for use of insecure md4, md5, sha or sha1 hash functions |
| 42 in hashlib.new() if 'usedforsecurity' is not set to 'False'. | |
| 43 | |
| 44 @param reportError function to be used to report errors | |
| 45 @type func | |
| 46 @param context security context object | |
| 47 @type SecurityContext | |
| 48 @param config dictionary with configuration data | |
| 49 @type dict | |
| 50 """ | |
| 51 insecureHashes = ( | |
| 52 [h.lower() for h in config["insecure_hashes"]] | |
| 53 if config and "insecure_hashes" in config | |
| 54 else SecurityDefaults["insecure_hashes"] | |
| 55 ) | |
| 56 | |
| 57 if isinstance(context.callFunctionNameQual, str): | |
| 58 qualnameList = context.callFunctionNameQual.split(".") | |
| 59 | |
| 60 if "hashlib" in qualnameList: | |
| 61 func = qualnameList[-1] | |
| 62 keywords = context.callKeywords | |
| 63 | |
| 64 if func in insecureHashes: | |
| 65 if keywords.get("usedforsecurity", "True") == "True": | |
| 66 reportError( | |
| 67 context.node.lineno - 1, | |
| 68 context.node.col_offset, | |
| 69 "S332", | |
| 70 "H", | |
| 71 "H", | |
| 72 func.upper(), | |
| 73 ) | |
| 74 elif func == "new": | |
| 75 args = context.callArgs | |
| 76 name = args[0] if args else keywords.get("name", None) | |
| 77 if ( | |
| 78 isinstance(name, str) | |
| 79 and name.lower() in insecureHashes | |
| 80 and keywords.get("usedforsecurity", "True") == "True" | |
| 81 ): | |
| 82 reportError( | |
| 83 context.node.lineno - 1, | |
| 84 context.node.col_offset, | |
| 85 "S332", | |
| 86 "H", | |
| 87 "H", | |
| 88 name.upper(), | |
| 89 ) | |
| 90 | |
| 91 | |
| 92 def _hashlibNew(reportError, context, config): | |
| 93 """ | |
| 94 Function to check for use of insecure md4, md5, sha or sha1 hash functions | |
| 40 in hashlib.new(). | 95 in hashlib.new(). |
| 41 | 96 |
| 42 @param reportError function to be used to report errors | 97 @param reportError function to be used to report errors |
| 43 @type func | 98 @type func |
| 44 @param context security context object | 99 @param context security context object |
| 56 qualnameList = context.callFunctionNameQual.split(".") | 111 qualnameList = context.callFunctionNameQual.split(".") |
| 57 func = qualnameList[-1] | 112 func = qualnameList[-1] |
| 58 if "hashlib" in qualnameList and func == "new": | 113 if "hashlib" in qualnameList and func == "new": |
| 59 args = context.callArgs | 114 args = context.callArgs |
| 60 keywords = context.callKeywords | 115 keywords = context.callKeywords |
| 61 name = args[0] if args else keywords["name"] | 116 name = args[0] if args else keywords.get("name", None) |
| 62 if isinstance(name, str) and name.lower() in insecureHashes: | 117 if isinstance(name, str) and name.lower() in insecureHashes: |
| 63 reportError( | 118 reportError( |
| 64 context.node.lineno - 1, | 119 context.node.lineno - 1, |
| 65 context.node.col_offset, | 120 context.node.col_offset, |
| 66 "S331", | 121 "S331", |
| 67 "M", | 122 "M", |
| 68 "H", | 123 "H", |
| 69 name.upper(), | 124 name.upper(), |
| 70 ) | 125 ) |
| 126 | |
| 127 | |
| 128 def checkHashlib(reportError, context, config): | |
| 129 """ | |
| 130 Function to check for use of insecure md4, md5, sha or sha1 hash functions | |
| 131 in hashlib.new(). | |
| 132 | |
| 133 @param reportError function to be used to report errors | |
| 134 @type func | |
| 135 @param context security context object | |
| 136 @type SecurityContext | |
| 137 @param config dictionary with configuration data | |
| 138 @type dict | |
| 139 """ | |
| 140 if sys.version_info >= (3, 9): | |
| 141 _hashlibFunc(reportError, context, config) | |
| 142 else: | |
| 143 _hashlibNew(reportError, context, config) |
