Mercurial Repositories > eric / file diff

--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py	Tue Sep 13 19:46:19 2022 +0200
+++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py	Tue Sep 13 20:00:55 2022 +0200
@@ -8,6 +8,8 @@
 functions in hashlib.new().
 """
 
+import sys
+
 #
 # This is a modified version of the one found in the bandit package.
 #
@@ -29,14 +31,67 @@
     """
     return {
         "Call": [
-            (checkHashlibNew, ("S331",)),
+            (checkHashlib, ("S331",)),
         ],
     }
 
 
-def checkHashlibNew(reportError, context, config):
+def _hashlibFunc(reportError, context, config):
+    """
+    Function to check for use of insecure md4, md5, sha or sha1 hash functions
+    in hashlib.new() if 'usedforsecurity' is not set to 'False'.
+
+    @param reportError function to be used to report errors
+    @type func
+    @param context security context object
+    @type SecurityContext
+    @param config dictionary with configuration data
+    @type dict
     """
-    Function to check for use of insecure md4, md5, or sha1 hash functions
+    insecureHashes = (
+        [h.lower() for h in config["insecure_hashes"]]
+        if config and "insecure_hashes" in config
+        else SecurityDefaults["insecure_hashes"]
+    )
+
+    if isinstance(context.callFunctionNameQual, str):
+        qualnameList = context.callFunctionNameQual.split(".")
+
+        if "hashlib" in qualnameList:
+            func = qualnameList[-1]
+            keywords = context.callKeywords
+
+            if func in insecureHashes:
+                if keywords.get("usedforsecurity", "True") == "True":
+                    reportError(
+                        context.node.lineno - 1,
+                        context.node.col_offset,
+                        "S332",
+                        "H",
+                        "H",
+                        func.upper(),
+                    )
+            elif func == "new":
+                args = context.callArgs
+                name = args[0] if args else keywords.get("name", None)
+                if (
+                    isinstance(name, str)
+                    and name.lower() in insecureHashes
+                    and keywords.get("usedforsecurity", "True") == "True"
+                ):
+                    reportError(
+                        context.node.lineno - 1,
+                        context.node.col_offset,
+                        "S332",
+                        "H",
+                        "H",
+                        name.upper(),
+                    )
+
+
+def _hashlibNew(reportError, context, config):
+    """
+    Function to check for use of insecure md4, md5, sha or sha1 hash functions
     in hashlib.new().
 
     @param reportError function to be used to report errors
@@ -58,7 +113,7 @@
         if "hashlib" in qualnameList and func == "new":
             args = context.callArgs
             keywords = context.callKeywords
-            name = args[0] if args else keywords["name"]
+            name = args[0] if args else keywords.get("name", None)
             if isinstance(name, str) and name.lower() in insecureHashes:
                 reportError(
                     context.node.lineno - 1,
@@ -68,3 +123,21 @@
                     "H",
                     name.upper(),
                 )
+
+
+def checkHashlib(reportError, context, config):
+    """
+    Function to check for use of insecure md4, md5, sha or sha1 hash functions
+    in hashlib.new().
+
+    @param reportError function to be used to report errors
+    @type func
+    @param context security context object
+    @type SecurityContext
+    @param config dictionary with configuration data
+    @type dict
+    """
+    if sys.version_info >= (3, 9):
+        _hashlibFunc(reportError, context, config)
+    else:
+        _hashlibNew(reportError, context, config)