Mercurial Repositories > eric / changeset
changeset
Code Style Checker
Sun, 16 Feb 2025 12:10:10 +0100
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Sun, 16 Feb 2025 12:10:10 +0100
- branch
- eric7
- changeset 11136
- 437db2f032fd
- parent 11135
- 5af56f31c53f
- child 11137
- a90284948331
Code Style Checker
- Updated the Security checker to `bandit` v1.8.2.
--- a/docs/ThirdParty.md Sun Feb 16 11:26:03 2025 +0100 +++ b/docs/ThirdParty.md Sun Feb 16 12:10:10 2025 +0100 @@ -18,7 +18,7 @@ | Name | Version | License | |:-----------------------------:|:---------:|:-----------------------------------| -| bandit | 1.7.9 | Apache License 2.0 | +| bandit | 1.8.2 | Apache License 2.0 | | flake8-alphabetize | 0.0.21 | MIT License (MIT No Attribution) | | flake8-annotations | 3.1.1 | MIT License (MIT) | | flake8-annotations-complexity | 0.0.8 | MIT License (MIT) |
--- a/docs/changelog.md Sun Feb 16 11:26:03 2025 +0100 +++ b/docs/changelog.md Sun Feb 16 12:10:10 2025 +0100 @@ -7,6 +7,7 @@ - Imports to `flake8-tidy-imports` v4.11.0 - Logging to `flake8-logging` v1.7.0 - Miscellaneous to `flake8-comprehensions` v3.16.0 + - Security to `bandit` v1.8.2 - pip Interface - Added a field to search for packages in the dependencies list.
--- a/eric7.epj Sun Feb 16 11:26:03 2025 +0100 +++ b/eric7.epj Sun Feb 16 12:10:10 2025 +0100 @@ -1,7 +1,7 @@ { "header": { "comment": "eric project file for project eric7", - "copyright": "Copyright (C) 2024 Detlev Offenbach, detlev@die-offenbachs.de" + "copyright": "Copyright (C) 2025 Detlev Offenbach, detlev@die-offenbachs.de" }, "project": { "AUTHOR": "Detlev Offenbach", @@ -1622,11 +1622,11 @@ "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/generalFilePermissions.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/generalHardcodedPassword.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/generalHardcodedTmp.py", + "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/hashlibInsecureFunctions.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionParamiko.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py", - "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/jinja2Templates.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/loggingConfigInsecureListen.py",
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.hashlibInsecureFunctions.html Sun Feb 16 12:10:10 2025 +0100 @@ -0,0 +1,189 @@ +<!DOCTYPE html> +<html><head> +<title>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew</title> +<meta charset="UTF-8"> +<link rel="stylesheet" href="styles.css"> +</head> +<body> +<a NAME="top" ID="top"></a> +<h1>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew</h1> +<p> +Module implementing a check for use of insecure md4, md5, or sha1 hash +functions in hashlib.new(). +</p> + +<h3>Global Attributes</h3> +<table> +<tr><td>None</td></tr> +</table> + +<h3>Classes</h3> +<table> +<tr><td>None</td></tr> +</table> + +<h3>Functions</h3> +<table> +<tr> +<td><a href="#_cryptCrypt">_cryptCrypt</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in crypt.crypt().</td> +</tr> +<tr> +<td><a href="#_hashlibFunc">_hashlibFunc</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new() if 'usedforsecurity' is not set to 'False'.</td> +</tr> +<tr> +<td><a href="#_hashlibNew">_hashlibNew</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> +</tr> +<tr> +<td><a href="#checkHashlib">checkHashlib</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> +</tr> +<tr> +<td><a href="#getChecks">getChecks</a></td> +<td>Public method to get a dictionary with checks handled by this module.</td> +</tr> +</table> + +<hr /> +<hr /> +<a NAME="_cryptCrypt" ID="_cryptCrypt"></a> +<h2>_cryptCrypt</h2> +<b>_cryptCrypt</b>(<i>reportError, context, func, config</i>) +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in crypt.crypt(). +</p> + +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>func</i> (str)</dt> +<dd> +name of the hash function +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="_hashlibFunc" ID="_hashlibFunc"></a> +<h2>_hashlibFunc</h2> +<b>_hashlibFunc</b>(<i>reportError, context, func, config</i>) +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new() if 'usedforsecurity' is not set to 'False'. +</p> + +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>func</i> (str)</dt> +<dd> +name of the hash function +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="_hashlibNew" ID="_hashlibNew"></a> +<h2>_hashlibNew</h2> +<b>_hashlibNew</b>(<i>reportError, context, func, config</i>) +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new(). +</p> + +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>func</i> (str)</dt> +<dd> +name of the hash function +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="checkHashlib" ID="checkHashlib"></a> +<h2>checkHashlib</h2> +<b>checkHashlib</b>(<i>reportError, context, config</i>) +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new(). +</p> + +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="getChecks" ID="getChecks"></a> +<h2>getChecks</h2> +<b>getChecks</b>(<i></i>) +<p> + Public method to get a dictionary with checks handled by this module. +</p> + +<dl> +<dt>Return:</dt> +<dd> +dictionary containing checker lists containing checker function and + list of codes +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +dict +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +</body></html>
--- a/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html Sun Feb 16 11:26:03 2025 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,189 +0,0 @@ -<!DOCTYPE html> -<html><head> -<title>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew</title> -<meta charset="UTF-8"> -<link rel="stylesheet" href="styles.css"> -</head> -<body> -<a NAME="top" ID="top"></a> -<h1>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew</h1> -<p> -Module implementing a check for use of insecure md4, md5, or sha1 hash -functions in hashlib.new(). -</p> - -<h3>Global Attributes</h3> -<table> -<tr><td>None</td></tr> -</table> - -<h3>Classes</h3> -<table> -<tr><td>None</td></tr> -</table> - -<h3>Functions</h3> -<table> -<tr> -<td><a href="#_cryptCrypt">_cryptCrypt</a></td> -<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in crypt.crypt().</td> -</tr> -<tr> -<td><a href="#_hashlibFunc">_hashlibFunc</a></td> -<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new() if 'usedforsecurity' is not set to 'False'.</td> -</tr> -<tr> -<td><a href="#_hashlibNew">_hashlibNew</a></td> -<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> -</tr> -<tr> -<td><a href="#checkHashlib">checkHashlib</a></td> -<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> -</tr> -<tr> -<td><a href="#getChecks">getChecks</a></td> -<td>Public method to get a dictionary with checks handled by this module.</td> -</tr> -</table> - -<hr /> -<hr /> -<a NAME="_cryptCrypt" ID="_cryptCrypt"></a> -<h2>_cryptCrypt</h2> -<b>_cryptCrypt</b>(<i>reportError, context, func, config</i>) -<p> - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in crypt.crypt(). -</p> - -<dl> - -<dt><i>reportError</i> (func)</dt> -<dd> -function to be used to report errors -</dd> -<dt><i>context</i> (SecurityContext)</dt> -<dd> -security context object -</dd> -<dt><i>func</i> (str)</dt> -<dd> -name of the hash function -</dd> -<dt><i>config</i> (dict)</dt> -<dd> -dictionary with configuration data -</dd> -</dl> -<div align="right"><a href="#top">Up</a></div> -<hr /> -<hr /> -<a NAME="_hashlibFunc" ID="_hashlibFunc"></a> -<h2>_hashlibFunc</h2> -<b>_hashlibFunc</b>(<i>reportError, context, func, config</i>) -<p> - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new() if 'usedforsecurity' is not set to 'False'. -</p> - -<dl> - -<dt><i>reportError</i> (func)</dt> -<dd> -function to be used to report errors -</dd> -<dt><i>context</i> (SecurityContext)</dt> -<dd> -security context object -</dd> -<dt><i>func</i> (str)</dt> -<dd> -name of the hash function -</dd> -<dt><i>config</i> (dict)</dt> -<dd> -dictionary with configuration data -</dd> -</dl> -<div align="right"><a href="#top">Up</a></div> -<hr /> -<hr /> -<a NAME="_hashlibNew" ID="_hashlibNew"></a> -<h2>_hashlibNew</h2> -<b>_hashlibNew</b>(<i>reportError, context, func, config</i>) -<p> - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new(). -</p> - -<dl> - -<dt><i>reportError</i> (func)</dt> -<dd> -function to be used to report errors -</dd> -<dt><i>context</i> (SecurityContext)</dt> -<dd> -security context object -</dd> -<dt><i>func</i> (str)</dt> -<dd> -name of the hash function -</dd> -<dt><i>config</i> (dict)</dt> -<dd> -dictionary with configuration data -</dd> -</dl> -<div align="right"><a href="#top">Up</a></div> -<hr /> -<hr /> -<a NAME="checkHashlib" ID="checkHashlib"></a> -<h2>checkHashlib</h2> -<b>checkHashlib</b>(<i>reportError, context, config</i>) -<p> - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new(). -</p> - -<dl> - -<dt><i>reportError</i> (func)</dt> -<dd> -function to be used to report errors -</dd> -<dt><i>context</i> (SecurityContext)</dt> -<dd> -security context object -</dd> -<dt><i>config</i> (dict)</dt> -<dd> -dictionary with configuration data -</dd> -</dl> -<div align="right"><a href="#top">Up</a></div> -<hr /> -<hr /> -<a NAME="getChecks" ID="getChecks"></a> -<h2>getChecks</h2> -<b>getChecks</b>(<i></i>) -<p> - Public method to get a dictionary with checks handled by this module. -</p> - -<dl> -<dt>Return:</dt> -<dd> -dictionary containing checker lists containing checker function and - list of codes -</dd> -</dl> -<dl> -<dt>Return Type:</dt> -<dd> -dict -</dd> -</dl> -<div align="right"><a href="#top">Up</a></div> -<hr /> -</body></html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/hashlibInsecureFunctions.py Sun Feb 16 12:10:10 2025 +0100 @@ -0,0 +1,155 @@ +# -*- coding: utf-8 -*- + +# Copyright (c) 2020 - 2025 Detlev Offenbach <detlev@die-offenbachs.de> +# + +""" +Module implementing a check for use of insecure md4, md5, or sha1 hash +functions in hashlib. +""" + +from Security.SecurityDefaults import SecurityDefaults + +# +# This is a modified version of the one found in the bandit package. +# +# Original Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +def getChecks(): + """ + Public method to get a dictionary with checks handled by this module. + + @return dictionary containing checker lists containing checker function and + list of codes + @rtype dict + """ + return { + "Call": [ + (checkHashlib, ("S331", "S332")), + ], + } + + +def _hashlibFunc(reportError, context, func, config): + """ + Function to check for use of insecure md4, md5, or sha1 hash functions + in hashlib if 'usedforsecurity' is not set to 'False'. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param func name of the hash function + @type str + @param config dictionary with configuration data + @type dict + """ + insecureHashes = ( + [h.lower() for h in config["insecure_hashes"]] + if config and "insecure_hashes" in config + else SecurityDefaults["insecure_hashes"] + ) + + if isinstance(context.callFunctionNameQual, str): + keywords = context.callKeywords + + if func in insecureHashes: + if keywords.get("usedforsecurity", "True") == "True": + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S332", + "H", + "H", + func.upper(), + ) + elif func == "new": + args = context.callArgs + name = args[0] if args else keywords.get("name") + if ( + isinstance(name, str) + and name.lower() in insecureHashes + and keywords.get("usedforsecurity", "True") == "True" + ): + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S332", + "H", + "H", + name.upper(), + ) + + +def _cryptCrypt(reportError, context, func, config): + """ + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in crypt.crypt(). + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param func name of the hash function + @type str + @param config dictionary with configuration data + @type dict + """ + insecureHashes = ( + [h.lower() for h in config["insecure_hashes"]] + if config and "insecure_hashes" in config + else SecurityDefaults["insecure_hashes"] + ) + + args = context.callArgs + keywords = context.callKeywords + + if func == "crypt": + name = args[1] if len(args) > 1 else keywords.get("salt") + if isinstance(name, str) and name in insecureHashes: + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S331", + "M", + "H", + name.upper(), + ) + + elif func == "mksalt": + name = args[0] if args else keywords.get("method") + if isinstance(name, str) and name in insecureHashes: + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S331", + "M", + "H", + name.upper(), + ) + + +def checkHashlib(reportError, context, config): + """ + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new(). + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + if isinstance(context.callFunctionNameQual, str): + qualnameList = context.callFunctionNameQual.split(".") + func = qualnameList[-1] + + if "hashlib" in qualnameList: + _hashlibFunc(reportError, context, func, config) + elif "crypt" in qualnameList and func in ("crypt", "mksalt"): + _cryptCrypt(reportError, context, func, config)
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py Sun Feb 16 11:26:03 2025 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,195 +0,0 @@ -# -*- coding: utf-8 -*- - -# Copyright (c) 2020 - 2025 Detlev Offenbach <detlev@die-offenbachs.de> -# - -""" -Module implementing a check for use of insecure md4, md5, or sha1 hash -functions in hashlib.new(). -""" - -import sys - -from Security.SecurityDefaults import SecurityDefaults - -# -# This is a modified version of the one found in the bandit package. -# -# Original Copyright 2014 Hewlett-Packard Development Company, L.P. -# -# SPDX-License-Identifier: Apache-2.0 -# - - -def getChecks(): - """ - Public method to get a dictionary with checks handled by this module. - - @return dictionary containing checker lists containing checker function and - list of codes - @rtype dict - """ - return { - "Call": [ - (checkHashlib, ("S331",)), - ], - } - - -def _hashlibFunc(reportError, context, func, config): - """ - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new() if 'usedforsecurity' is not set to 'False'. - - @param reportError function to be used to report errors - @type func - @param context security context object - @type SecurityContext - @param func name of the hash function - @type str - @param config dictionary with configuration data - @type dict - """ - insecureHashes = ( - [h.lower() for h in config["insecure_hashes"]] - if config and "insecure_hashes" in config - else SecurityDefaults["insecure_hashes"] - ) - - if isinstance(context.callFunctionNameQual, str): - keywords = context.callKeywords - - if func in insecureHashes: - if keywords.get("usedforsecurity", "True") == "True": - reportError( - context.node.lineno - 1, - context.node.col_offset, - "S332", - "H", - "H", - func.upper(), - ) - elif func == "new": - args = context.callArgs - name = args[0] if args else keywords.get("name") - if ( - isinstance(name, str) - and name.lower() in insecureHashes - and keywords.get("usedforsecurity", "True") == "True" - ): - reportError( - context.node.lineno - 1, - context.node.col_offset, - "S332", - "H", - "H", - name.upper(), - ) - - -def _hashlibNew(reportError, context, func, config): - """ - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new(). - - @param reportError function to be used to report errors - @type func - @param context security context object - @type SecurityContext - @param func name of the hash function - @type str - @param config dictionary with configuration data - @type dict - """ - insecureHashes = ( - [h.lower() for h in config["insecure_hashes"]] - if config and "insecure_hashes" in config - else SecurityDefaults["insecure_hashes"] - ) - - if func == "new": - args = context.callArgs - keywords = context.callKeywords - name = args[0] if args else keywords.get("name") - if isinstance(name, str) and name.lower() in insecureHashes: - reportError( - context.node.lineno - 1, - context.node.col_offset, - "S331", - "M", - "H", - name.upper(), - ) - - -def _cryptCrypt(reportError, context, func, config): - """ - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in crypt.crypt(). - - @param reportError function to be used to report errors - @type func - @param context security context object - @type SecurityContext - @param func name of the hash function - @type str - @param config dictionary with configuration data - @type dict - """ - insecureHashes = ( - [h.lower() for h in config["insecure_hashes"]] - if config and "insecure_hashes" in config - else SecurityDefaults["insecure_hashes"] - ) - - args = context.callArgs - keywords = context.callKeywords - - if func == "crypt": - name = args[1] if len(args) > 1 else keywords.get("salt") - if isinstance(name, str) and name in insecureHashes: - reportError( - context.node.lineno - 1, - context.node.col_offset, - "S331", - "M", - "H", - name.upper(), - ) - - elif func == "mksalt": - name = args[0] if args else keywords.get("method") - if isinstance(name, str) and name in insecureHashes: - reportError( - context.node.lineno - 1, - context.node.col_offset, - "S331", - "M", - "H", - name.upper(), - ) - - -def checkHashlib(reportError, context, config): - """ - Function to check for use of insecure md4, md5, sha or sha1 hash functions - in hashlib.new(). - - @param reportError function to be used to report errors - @type func - @param context security context object - @type SecurityContext - @param config dictionary with configuration data - @type dict - """ - if isinstance(context.callFunctionNameQual, str): - qualnameList = context.callFunctionNameQual.split(".") - func = qualnameList[-1] - - if "hashlib" in qualnameList: - if sys.version_info >= (3, 9): - _hashlibFunc(reportError, context, func, config) - else: - _hashlibNew(reportError, context, func, config) - elif "crypt" in qualnameList and func in ("crypt", "mksalt"): - _cryptCrypt(reportError, context, func, config)
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/prohibitedCalls.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/prohibitedCalls.py Sun Feb 16 12:10:10 2025 +0100 @@ -17,7 +17,6 @@ import ast import fnmatch -import sys import AstUtilities @@ -27,9 +26,6 @@ "pickle.loads", "pickle.load", "pickle.Unpickler", - "cPickle.loads", - "cPickle.load", - "cPickle.Unpickler", "dill.loads", "dill.load", "dill.Unpickler", @@ -44,42 +40,21 @@ ), "S302": (["marshal.load", "marshal.loads"], "M"), } -if sys.version_info >= (3, 9): - _prohibitedCalls["S303"] = ( - [ - "Crypto.Hash.MD2.new", - "Crypto.Hash.MD4.new", - "Crypto.Hash.MD5.new", - "Crypto.Hash.SHA.new", - "Cryptodome.Hash.MD2.new", - "Cryptodome.Hash.MD4.new", - "Cryptodome.Hash.MD5.new", - "Cryptodome.Hash.SHA.new", - "cryptography.hazmat.primitives.hashes.MD5", - "cryptography.hazmat.primitives.hashes.SHA1", - ], - "M", - ) -else: - _prohibitedCalls["S303"] = ( - [ - "hashlib.md4", - "hashlib.md5", - "hashlib.sha", - "hashlib.sha1", - "Crypto.Hash.MD2.new", - "Crypto.Hash.MD4.new", - "Crypto.Hash.MD5.new", - "Crypto.Hash.SHA.new", - "Cryptodome.Hash.MD2.new", - "Cryptodome.Hash.MD4.new", - "Cryptodome.Hash.MD5.new", - "Cryptodome.Hash.SHA.new", - "cryptography.hazmat.primitives.hashes.MD5", - "cryptography.hazmat.primitives.hashes.SHA1", - ], - "M", - ) +_prohibitedCalls["S303"] = ( + [ + "Crypto.Hash.MD2.new", + "Crypto.Hash.MD4.new", + "Crypto.Hash.MD5.new", + "Crypto.Hash.SHA.new", + "Cryptodome.Hash.MD2.new", + "Cryptodome.Hash.MD4.new", + "Cryptodome.Hash.MD5.new", + "Cryptodome.Hash.SHA.new", + "cryptography.hazmat.primitives.hashes.MD5", + "cryptography.hazmat.primitives.hashes.SHA1", + ], + "M", +) _prohibitedCalls.update( { @@ -97,7 +72,10 @@ "Cryptodome.Cipher.XOR.new", "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", + "cryptography.hazmat.primitives.ciphers.algorithms.CAST5", "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", + "cryptography.hazmat.primitives.ciphers.algorithms.SEED", + "cryptography.hazmat.primitives.ciphers.algorithms.TripleDES", ], "H", ), @@ -159,19 +137,7 @@ "S317": (["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], "M"), "S318": (["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], "M"), "S319": (["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], "M"), - "S320": ( - [ - "lxml.etree.parse", - "lxml.etree.fromstring", - "lxml.etree.RestrictedElement", - "lxml.etree.GlobalParserTLS", - "lxml.etree.getDefaultParser", - "lxml.etree.check_docinfo", - ], - "M", - ), "S321": (["ftplib.FTP"], "H"), - "S322": (["input"], "H"), "S323": (["ssl._create_unverified_context"], "M"), } )
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/prohibitedImports.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/prohibitedImports.py Sun Feb 16 12:10:10 2025 +0100 @@ -25,7 +25,6 @@ "S407": (["xml.dom.expatbuilder"], "L"), "S408": (["xml.dom.minidom"], "L"), "S409": (["xml.dom.pulldom"], "L"), - "S410": (["lxml"], "L"), "S411": (["xmlrpc"], "H"), "S412": ( [
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/requestWithoutTimeout.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/requestWithoutTimeout.py Sun Feb 16 12:10:10 2025 +0100 @@ -43,9 +43,8 @@ httpVerbs = {"get", "options", "head", "post", "put", "patch", "delete"} httpxAttrs = {"request", "stream", "Client", "AsyncClient"} | httpVerbs qualName = context.callFunctionNameQual.split(".")[0] - if (qualName == "requests" and context.callFunctionName in httpVerbs) or ( - qualName == "httpx" and context.callFunctionName in httpxAttrs - ): + + if qualName == "requests" and context.callFunctionName in httpVerbs: # check for missing timeout if context.checkCallArgValue("timeout") is None: reportError( @@ -57,6 +56,12 @@ qualName, ) + if ( + qualName == "requests" + and context.callFunctionName in httpVerbs + or qualName == "httpx" + and context.callFunctionName in httpxAttrs + ): # check for timeout=None if context.checkCallArgValue("timeout", "None"): reportError(
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityChecker.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityChecker.py Sun Feb 16 12:10:10 2025 +0100 @@ -58,12 +58,11 @@ "S317", "S318", "S319", - "S320", "S321", - "S322", "S323", - # hashlib.new + # hashlib functions "S331", + "S332" # insecure imports (prohibited) "S401", "S402", @@ -74,7 +73,6 @@ "S407", "S408", "S409", - "S410", "S411", "S412", "S413",
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityDefaults.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityDefaults.py Sun Feb 16 12:10:10 2025 +0100 @@ -11,7 +11,7 @@ # generalHardcodedTmp.py "hardcoded_tmp_directories": ["/tmp", "/var/tmp", "/dev/shm", "~/tmp"], # secok - # insecureHashlibNew.py + # hashlibInsecureFunctions.py "insecure_hashes": ["md4", "md5", "sha", "sha1"], # injectionShell.py # injectionWildcard.py
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/__init__.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/__init__.py Sun Feb 16 12:10:10 2025 +0100 @@ -8,5 +8,5 @@ """ ########################################################################### -## The security checker is based on Bandit v1.7.10. ## +## The security checker is based on Bandit v1.8.2. ## ###########################################################################
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Sun Feb 16 11:26:03 2025 +0100 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Sun Feb 16 12:10:10 2025 +0100 @@ -163,24 +163,11 @@ " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called.", ), - "S320": QCoreApplication.translate( - "Security", - "Using '{0}' to parse untrusted XML data is known to be vulnerable to" - " XML attacks. Replace '{0}' with its defusedxml equivalent" - " function.", - ), "S321": QCoreApplication.translate( "Security", "FTP-related functions are being called. FTP is considered insecure." " Use SSH/SFTP/SCP or some other encrypted protocol.", ), - "S322": QCoreApplication.translate( - "Security", - "The input method in Python 2 will read from standard input, evaluate" - " and run the resulting string as Python source code. This is" - " similar, though in many ways worse, than using eval. On Python 2," - " use raw_input instead, input is safe in Python 3.", - ), "S323": QCoreApplication.translate( "Security", "By default, Python will create a secure, verified SSL context for" @@ -189,7 +176,7 @@ " reverts to the previous behavior that does not validate" " certificates or perform hostname checks.", ), - # hashlib.new + # hashlib functions "S331": QCoreApplication.translate( "Security", "Use of insecure {0} hash function." ), @@ -246,12 +233,6 @@ " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called.", ), - "S410": QCoreApplication.translate( - "Security", - "Using '{0}' to parse untrusted XML data is known to be vulnerable" - " to XML attacks. Replace '{0}' with the equivalent defusedxml" - " package.", - ), "S411": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" @@ -450,7 +431,6 @@ "S317": ["xml.sax.parse"], "S318": ["xml.dom.minidom.parse"], "S319": ["xml.dom.pulldom.parse"], - "S320": ["lxml.etree.parse"], "S331": ["MD5"], "S403": ["pickle"], "S404": ["subprocess"], @@ -459,7 +439,6 @@ "S407": ["xml.dom.expatbuilder"], "S408": ["xml.dom.minidom"], "S409": ["xml.dom.pulldom"], - "S410": ["lxml"], "S411": ["xmlrpclib"], "S412": ["wsgiref.handlers.CGIHandler"], "S413": ["Crypto.Cipher"],
