Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/awsHardcodedPassword.py
- branch
- eric7
- changeset 9209
- b99e7fd55fd3
- parent 8881
- 54e42bc2437a
- child 9221
- bf71ee032bb4
equal
deleted
inserted
replaced
| 9208:3fc8dfeb6ebe | 9209:b99e7fd55fd3 |
|---|---|
| 1 # -*- coding: utf-8 -*- | |
| 2 | |
| 3 # Copyright (c) 2020 - 2022 Detlev Offenbach <detlev@die-offenbachs.de> | |
| 4 # | |
| 5 | |
| 6 """ | |
| 7 Module implementing checks for potentially hardcoded AWS passwords. | |
| 8 """ | |
| 9 | |
| 10 # | |
| 11 # This is a modified version of the one found at | |
| 12 # https://pypi.org/project/bandit-aws/. | |
| 13 # | |
| 14 # Original Copyright 2020 CMCRC (devcdt@cmcrc.com) | |
| 15 # | |
| 16 # Original License: GPLv3 | |
| 17 # | |
| 18 | |
| 19 from collections import Counter | |
| 20 import math | |
| 21 import re | |
| 22 import string | |
| 23 | |
| 24 | |
| 25 def getChecks(): | |
| 26 """ | |
| 27 Public method to get a dictionary with checks handled by this module. | |
| 28 | |
| 29 @return dictionary containing checker lists containing checker function and | |
| 30 list of codes | |
| 31 @rtype dict | |
| 32 """ | |
| 33 return { | |
| 34 "Str": [ | |
| 35 (checkHardcodedAwsKey, ("S801", "S802")), | |
| 36 ], | |
| 37 } | |
| 38 | |
| 39 AWS_ACCESS_KEY_ID_SYMBOLS = string.ascii_uppercase + string.digits | |
| 40 AWS_ACCESS_KEY_ID_REGEX = re.compile( | |
| 41 '[' + AWS_ACCESS_KEY_ID_SYMBOLS + ']{20}' | |
| 42 ) | |
| 43 AWS_ACCESS_KEY_ID_MAX_ENTROPY = 3 | |
| 44 | |
| 45 AWS_SECRET_ACCESS_KEY_SYMBOLS = string.ascii_letters + string.digits + '/+=' | |
| 46 AWS_SECRET_ACCESS_KEY_REGEX = re.compile( | |
| 47 '[' + AWS_SECRET_ACCESS_KEY_SYMBOLS + ']{40}' | |
| 48 ) | |
| 49 AWS_SECRET_ACCESS_KEY_MAX_ENTROPY = 4.5 | |
| 50 | |
| 51 | |
| 52 def shannonEntropy(data, symbols): | |
| 53 """ | |
| 54 Function to caclculate the Shannon entropy of some given data. | |
| 55 | |
| 56 Source: | |
| 57 http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html | |
| 58 | |
| 59 @param data data to calculate the entropy for | |
| 60 @type str | |
| 61 @param symbols allowed symbols | |
| 62 @type str | |
| 63 @return Shannon entropy of the given data | |
| 64 @rtype float | |
| 65 """ | |
| 66 if not data: | |
| 67 return 0 | |
| 68 entropy = 0 | |
| 69 counts = Counter(data) | |
| 70 for x in symbols: | |
| 71 p_x = float(counts[x]) / len(data) | |
| 72 if p_x > 0: | |
| 73 entropy += - p_x * math.log(p_x, 2) | |
| 74 return entropy | |
| 75 | |
| 76 | |
| 77 def checkHardcodedAwsKey(reportError, context, config): | |
| 78 """ | |
| 79 Function to check for potentially hardcoded AWS passwords. | |
| 80 | |
| 81 @param reportError function to be used to report errors | |
| 82 @type func | |
| 83 @param context security context object | |
| 84 @type SecurityContext | |
| 85 @param config dictionary with configuration data | |
| 86 @type dict | |
| 87 """ | |
| 88 node = context.node | |
| 89 if AWS_ACCESS_KEY_ID_REGEX.fullmatch(node.s): | |
| 90 entropy = shannonEntropy(node.s, AWS_ACCESS_KEY_ID_SYMBOLS) | |
| 91 if entropy > AWS_ACCESS_KEY_ID_MAX_ENTROPY: | |
| 92 reportError( | |
| 93 context.node.lineno - 1, | |
| 94 context.node.col_offset, | |
| 95 "S801", | |
| 96 "L", | |
| 97 "M", | |
| 98 node.s | |
| 99 ) | |
| 100 | |
| 101 elif AWS_SECRET_ACCESS_KEY_REGEX.fullmatch(node.s): | |
| 102 entropy = shannonEntropy(node.s, AWS_SECRET_ACCESS_KEY_SYMBOLS) | |
| 103 if entropy > AWS_SECRET_ACCESS_KEY_MAX_ENTROPY: | |
| 104 reportError( | |
| 105 context.node.lineno - 1, | |
| 106 context.node.col_offset, | |
| 107 "S802", | |
| 108 "M", | |
| 109 "M", | |
| 110 node.s | |
| 111 ) |
