Mercurial Repositories > eric / file comparison

comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py

src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py

branch
eric7
changeset 10507
d1c6608155ef
parent 10439
21c28b0f9e41
child 11090
f5f5f5803935
equal deleted inserted replaced
10506:321555d0303b 10507:d1c6608155ef
34 (checkHashlib, ("S331",)), 34 (checkHashlib, ("S331",)),
35 ], 35 ],
36 } 36 }
37 37
38 38
39 def _hashlibFunc(reportError, context, config): 39 def _hashlibFunc(reportError, context, func, config):
40 """ 40 """
41 Function to check for use of insecure md4, md5, sha or sha1 hash functions 41 Function to check for use of insecure md4, md5, sha or sha1 hash functions
42 in hashlib.new() if 'usedforsecurity' is not set to 'False'. 42 in hashlib.new() if 'usedforsecurity' is not set to 'False'.
43 43
44 @param reportError function to be used to report errors 44 @param reportError function to be used to report errors
45 @type func 45 @type func
46 @param context security context object 46 @param context security context object
47 @type SecurityContext 47 @type SecurityContext
48 @param func name of the hash function
49 @type str
48 @param config dictionary with configuration data 50 @param config dictionary with configuration data
49 @type dict 51 @type dict
50 """ 52 """
51 insecureHashes = ( 53 insecureHashes = (
52 [h.lower() for h in config["insecure_hashes"]] 54 [h.lower() for h in config["insecure_hashes"]]
53 if config and "insecure_hashes" in config 55 if config and "insecure_hashes" in config
54 else SecurityDefaults["insecure_hashes"] 56 else SecurityDefaults["insecure_hashes"]
55 ) 57 )
56 58
57 if isinstance(context.callFunctionNameQual, str): 59 if isinstance(context.callFunctionNameQual, str):
58 qualnameList = context.callFunctionNameQual.split(".") 60 keywords = context.callKeywords
59 61
60 if "hashlib" in qualnameList: 62 if func in insecureHashes:
61 func = qualnameList[-1] 63 if keywords.get("usedforsecurity", "True") == "True":
62 keywords = context.callKeywords 64 reportError(
63 65 context.node.lineno - 1,
64 if func in insecureHashes: 66 context.node.col_offset,
65 if keywords.get("usedforsecurity", "True") == "True": 67 "S332",
66 reportError( 68 "H",
67 context.node.lineno - 1, 69 "H",
68 context.node.col_offset, 70 func.upper(),
69 "S332", 71 )
70 "H", 72 elif func == "new":
71 "H", 73 args = context.callArgs
72 func.upper(), 74 name = args[0] if args else keywords.get("name")
73 ) 75 if (
74 elif func == "new": 76 isinstance(name, str)
75 args = context.callArgs 77 and name.lower() in insecureHashes
76 name = args[0] if args else keywords.get("name") 78 and keywords.get("usedforsecurity", "True") == "True"
77 if ( 79 ):
78 isinstance(name, str) 80 reportError(
79 and name.lower() in insecureHashes 81 context.node.lineno - 1,
80 and keywords.get("usedforsecurity", "True") == "True" 82 context.node.col_offset,
81 ): 83 "S332",
82 reportError( 84 "H",
83 context.node.lineno - 1, 85 "H",
84 context.node.col_offset, 86 name.upper(),
85 "S332", 87 )
86 "H",
87 "H",
88 name.upper(),
89 )
90 88
91 89
92 def _hashlibNew(reportError, context, config): 90 def _hashlibNew(reportError, context, func, config):
93 """ 91 """
94 Function to check for use of insecure md4, md5, sha or sha1 hash functions 92 Function to check for use of insecure md4, md5, sha or sha1 hash functions
95 in hashlib.new(). 93 in hashlib.new().
96 94
97 @param reportError function to be used to report errors 95 @param reportError function to be used to report errors
98 @type func 96 @type func
99 @param context security context object 97 @param context security context object
100 @type SecurityContext 98 @type SecurityContext
99 @param func name of the hash function
100 @type str
101 @param config dictionary with configuration data 101 @param config dictionary with configuration data
102 @type dict 102 @type dict
103 """ 103 """
104 insecureHashes = ( 104 insecureHashes = (
105 [h.lower() for h in config["insecure_hashes"]] 105 [h.lower() for h in config["insecure_hashes"]]
106 if config and "insecure_hashes" in config 106 if config and "insecure_hashes" in config
107 else SecurityDefaults["insecure_hashes"] 107 else SecurityDefaults["insecure_hashes"]
108 ) 108 )
109 109
110 if isinstance(context.callFunctionNameQual, str): 110 if func == "new":
111 qualnameList = context.callFunctionNameQual.split(".") 111 args = context.callArgs
112 func = qualnameList[-1] 112 keywords = context.callKeywords
113 if "hashlib" in qualnameList and func == "new": 113 name = args[0] if args else keywords.get("name")
114 args = context.callArgs 114 if isinstance(name, str) and name.lower() in insecureHashes:
115 keywords = context.callKeywords 115 reportError(
116 name = args[0] if args else keywords.get("name") 116 context.node.lineno - 1,
117 if isinstance(name, str) and name.lower() in insecureHashes: 117 context.node.col_offset,
118 reportError( 118 "S331",
119 context.node.lineno - 1, 119 "M",
120 context.node.col_offset, 120 "H",
121 "S331", 121 name.upper(),
122 "M", 122 )
123 "H", 123
124 name.upper(), 124
125 ) 125 def _cryptCrypt(reportError, context, func, config):
126 """
127 Function to check for use of insecure md4, md5, sha or sha1 hash functions
128 in crypt.crypt().
129
130 @param reportError function to be used to report errors
131 @type func
132 @param context security context object
133 @type SecurityContext
134 @param func name of the hash function
135 @type str
136 @param config dictionary with configuration data
137 @type dict
138 """
139 insecureHashes = (
140 [h.lower() for h in config["insecure_hashes"]]
141 if config and "insecure_hashes" in config
142 else SecurityDefaults["insecure_hashes"]
143 )
144
145 args = context.callArgs
146 keywords = context.callKeywords
147
148 if func == "crypt":
149 name = args[1] if len(args) > 1 else keywords.get("salt")
150 if isinstance(name, str) and name in insecureHashes:
151 reportError(
152 context.node.lineno - 1,
153 context.node.col_offset,
154 "S331",
155 "M",
156 "H",
157 name.upper(),
158 )
159
160 elif func == "mksalt":
161 name = args[0] if args else keywords.get("method")
162 if isinstance(name, str) and name in insecureHashes:
163 reportError(
164 context.node.lineno - 1,
165 context.node.col_offset,
166 "S331",
167 "M",
168 "H",
169 name.upper(),
170 )
126 171
127 172
128 def checkHashlib(reportError, context, config): 173 def checkHashlib(reportError, context, config):
129 """ 174 """
130 Function to check for use of insecure md4, md5, sha or sha1 hash functions 175 Function to check for use of insecure md4, md5, sha or sha1 hash functions
135 @param context security context object 180 @param context security context object
136 @type SecurityContext 181 @type SecurityContext
137 @param config dictionary with configuration data 182 @param config dictionary with configuration data
138 @type dict 183 @type dict
139 """ 184 """
140 if sys.version_info >= (3, 9): 185 if isinstance(context.callFunctionNameQual, str):
141 _hashlibFunc(reportError, context, config) 186 qualnameList = context.callFunctionNameQual.split(".")
142 else: 187 func = qualnameList[-1]
143 _hashlibNew(reportError, context, config) 188
189 if "hashlib" in qualnameList:
190 if sys.version_info >= (3, 9):
191 _hashlibFunc(reportError, context, func, config)
192 else:
193 _hashlibNew(reportError, context, func, config)
194 elif "crypt" in qualnameList and func in ("crypt", "mksalt"):
195 _cryptCrypt(reportError, context, func, config)

Mercurial Repository: eric

eric ide

mercurial