diff --git a/tests/python/lang/logger/__snapshots__/test.js.snap b/tests/python/lang/logger/__snapshots__/test.js.snap deleted file mode 100644 index 5ab9dfe2b..000000000 --- a/tests/python/lang/logger/__snapshots__/test.js.snap +++ /dev/null @@ -1,54 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`python_lang_logger bad 1`] = ` -"{ - "critical": [ - { - "cwe_ids": [ - "532" - ], - "id": "python_lang_logger", - "title": "Leakage of sensitive information in logger message", - "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`python\\nlogger.info(f\\"User is: '{user.email}'\\")\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`python\\nlogger.info(f\\"User is: '{user.uuid}'\\")\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_logger", - "line_number": 8, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", - "name": "Email Address" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 8, - "end": 8, - "column": { - "start": 25, - "end": 35 - } - }, - "sink": { - "start": 8, - "end": 8, - "column": { - "start": 3, - "end": 46 - }, - "content": "logging.info(f\\"User '{user.email}' logged\\")" - }, - "parent_line_number": 8, - "snippet": "logging.info(f\\"User '{user.email}' logged\\")", - "fingerprint": "26de6bb1dfb2afc2043f7d5a7f38ed93_0", - "old_fingerprint": "824bfab5ed8408be80510d29396c955e_0", - "code_extract": " logging.info(f\\"User '{user.email}' logged\\")" - } - ] -}" -`; - -exports[`python_lang_logger ok 1`] = `"{}"`; - -exports[`python_lang_logger shared_datatype 1`] = `"{}"`; diff --git a/tests/python/lang/logger/test.js b/tests/python/lang/logger/test.js index d015d8ccf..890c22c8c 100644 --- a/tests/python/lang/logger/test.js +++ b/tests/python/lang/logger/test.js @@ -1,21 +1,40 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) - - test("bad", () => { - const testCase = "bad.py" - expect(invoke(testCase)).toMatchSnapshot() - }) - - test("ok", () => { - const testCase = "ok.py" - expect(invoke(testCase)).toMatchSnapshot() - }) - - test("shared_datatype", () => { - const testCase = "shared_datatype.py" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + + test("bad", () => { + const testCase = "bad.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("ok", () => { + const testCase = "ok.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("shared_datatype", () => { + const testCase = "shared_datatype.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/python/lang/logger/testdata/bad.py b/tests/python/lang/logger/testdata/bad.py index cd4da0745..b8304f669 100644 --- a/tests/python/lang/logger/testdata/bad.py +++ b/tests/python/lang/logger/testdata/bad.py @@ -5,4 +5,5 @@ def do_something(user): def authenticate(user): do_something() +# bearer:expected python_lang_logger logging.info(f"User '{user.email}' logged") \ No newline at end of file diff --git a/tests/python/lang/weak_hash_md5/__snapshots__/test.js.snap b/tests/python/lang/weak_hash_md5/__snapshots__/test.js.snap deleted file mode 100644 index 0310b8cfd..000000000 --- a/tests/python/lang/weak_hash_md5/__snapshots__/test.js.snap +++ /dev/null @@ -1,130 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`python_lang_weak_hash_md5 bad 1`] = ` -"{ - "critical": [ - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_md5", - "title": "Usage of weak hashing library (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.md5('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_md5", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e", - "name": "Fullname" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 10, - "end": 10, - "column": { - "start": 12, - "end": 21 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 10, - "end": 40 - }, - "content": "hashlib.md5(username.encode())" - }, - "parent_line_number": 11, - "snippet": "hashlib.md5(username.encode())", - "fingerprint": "ae89c2b6af43af85ec1cb534a6743a7a_2", - "old_fingerprint": "8c6863bc0e7d3fd125fb2002ce390ade_2", - "code_extract": "result = hashlib.md5(username.encode())" - } - ], - "high": [ - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_md5", - "title": "Usage of weak hashing library (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.md5('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_md5", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 26 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 26 - }, - "content": "result.update('password')" - }, - "parent_line_number": 4, - "snippet": "result.update('password')", - "fingerprint": "ae89c2b6af43af85ec1cb534a6743a7a_0", - "old_fingerprint": "8c6863bc0e7d3fd125fb2002ce390ade_0", - "code_extract": "result.update('password')" - }, - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_md5", - "title": "Usage of weak hashing library (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.md5('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_md5", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 34 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 34 - }, - "content": "hashlib.md5(b'password')" - }, - "parent_line_number": 7, - "snippet": "hashlib.md5(b'password')", - "fingerprint": "ae89c2b6af43af85ec1cb534a6743a7a_1", - "old_fingerprint": "8c6863bc0e7d3fd125fb2002ce390ade_1", - "code_extract": "result = hashlib.md5(b'password')" - } - ] -}" -`; - -exports[`python_lang_weak_hash_md5 ok 1`] = `"{}"`; diff --git a/tests/python/lang/weak_hash_md5/test.js b/tests/python/lang/weak_hash_md5/test.js index 5cae02f5c..e3ae6966d 100644 --- a/tests/python/lang/weak_hash_md5/test.js +++ b/tests/python/lang/weak_hash_md5/test.js @@ -1,16 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("bad", () => { - const testCase = "bad.py" - expect(invoke(testCase)).toMatchSnapshot() - }) + + test("bad", () => { + const testCase = "bad.py" - test("ok", () => { - const testCase = "ok.py" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("ok", () => { + const testCase = "ok.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/python/lang/weak_hash_md5/testdata/bad.py b/tests/python/lang/weak_hash_md5/testdata/bad.py index 99602de1c..98980bcc6 100644 --- a/tests/python/lang/weak_hash_md5/testdata/bad.py +++ b/tests/python/lang/weak_hash_md5/testdata/bad.py @@ -1,12 +1,15 @@ import hashlib result = hashlib.md5() +# bearer:expected python_lang_weak_hash_md5 result.update('password') result.digest() +# bearer:expected python_lang_weak_hash_md5 result = hashlib.md5(b'password') result.digest() username = user.name +# bearer:expected python_lang_weak_hash_md5 result = hashlib.md5(username.encode()) result.hexdigest() diff --git a/tests/python/lang/weak_hash_sha1/__snapshots__/test.js.snap b/tests/python/lang/weak_hash_sha1/__snapshots__/test.js.snap deleted file mode 100644 index 4836a7f0e..000000000 --- a/tests/python/lang/weak_hash_sha1/__snapshots__/test.js.snap +++ /dev/null @@ -1,130 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`python_lang_weak_hash_sha1 bad 1`] = ` -"{ - "critical": [ - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_sha1", - "title": "Usage of weak hashing library (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.sha1('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_sha1", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e", - "name": "Fullname" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 10, - "end": 10, - "column": { - "start": 12, - "end": 21 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 10, - "end": 41 - }, - "content": "hashlib.sha1(username.encode())" - }, - "parent_line_number": 11, - "snippet": "hashlib.sha1(username.encode())", - "fingerprint": "7038cad9473fc880f426a26da1b2d2ee_2", - "old_fingerprint": "82737e59f2a58255aa7c3c1cf4650a0c_2", - "code_extract": "result = hashlib.sha1(username.encode())" - } - ], - "high": [ - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_sha1", - "title": "Usage of weak hashing library (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.sha1('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_sha1", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 26 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 26 - }, - "content": "result.update('password')" - }, - "parent_line_number": 4, - "snippet": "result.update('password')", - "fingerprint": "7038cad9473fc880f426a26da1b2d2ee_0", - "old_fingerprint": "82737e59f2a58255aa7c3c1cf4650a0c_0", - "code_extract": "result.update('password')" - }, - { - "cwe_ids": [ - "328" - ], - "id": "python_lang_weak_hash_sha1", - "title": "Usage of weak hashing library (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`python\\nhashlib.sha1('password').digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256('password').digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_hash_sha1", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 35 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 35 - }, - "content": "hashlib.sha1(b'password')" - }, - "parent_line_number": 7, - "snippet": "hashlib.sha1(b'password')", - "fingerprint": "7038cad9473fc880f426a26da1b2d2ee_1", - "old_fingerprint": "82737e59f2a58255aa7c3c1cf4650a0c_1", - "code_extract": "result = hashlib.sha1(b'password')" - } - ] -}" -`; - -exports[`python_lang_weak_hash_sha1 ok 1`] = `"{}"`; diff --git a/tests/python/lang/weak_hash_sha1/test.js b/tests/python/lang/weak_hash_sha1/test.js index 5cae02f5c..e3ae6966d 100644 --- a/tests/python/lang/weak_hash_sha1/test.js +++ b/tests/python/lang/weak_hash_sha1/test.js @@ -1,16 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("bad", () => { - const testCase = "bad.py" - expect(invoke(testCase)).toMatchSnapshot() - }) + + test("bad", () => { + const testCase = "bad.py" - test("ok", () => { - const testCase = "ok.py" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("ok", () => { + const testCase = "ok.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/python/lang/weak_hash_sha1/testdata/bad.py b/tests/python/lang/weak_hash_sha1/testdata/bad.py index 1403132a4..1f36cb4cb 100644 --- a/tests/python/lang/weak_hash_sha1/testdata/bad.py +++ b/tests/python/lang/weak_hash_sha1/testdata/bad.py @@ -1,12 +1,15 @@ import hashlib result = hashlib.sha1() +# bearer:expected python_lang_weak_hash_sha1 result.update('password') result.digest() +# bearer:expected python_lang_weak_hash_sha1 result = hashlib.sha1(b'password') result.digest() username = user.name +# bearer:expected python_lang_weak_hash_sha1 result = hashlib.sha1(username.encode()) result.hexdigest() \ No newline at end of file diff --git a/tests/python/lang/weak_password_encryption_md5/__snapshots__/test.js.snap b/tests/python/lang/weak_password_encryption_md5/__snapshots__/test.js.snap deleted file mode 100644 index ffbf66cc4..000000000 --- a/tests/python/lang/weak_password_encryption_md5/__snapshots__/test.js.snap +++ /dev/null @@ -1,136 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`python_lang_weak_password_encryption_md5 bad 1`] = ` -"{ - "critical": [ - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_md5", - "title": "Usage of weak hashing library on a password (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.md5(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_md5", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 4, - "end": 4, - "column": { - "start": 15, - "end": 28 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 29 - }, - "content": "result.update(user.password)" - }, - "parent_line_number": 4, - "snippet": "result.update(user.password)", - "fingerprint": "31f32b01ee463426bea642b75fa25366_0", - "old_fingerprint": "f7ec1ec8f3cb22c75a2f7c5ace4b3b05_0", - "code_extract": "result.update(user.password)" - }, - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_md5", - "title": "Usage of weak hashing library on a password (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.md5(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_md5", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 22, - "end": 35 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 36 - }, - "content": "hashlib.md5(user.password)" - }, - "parent_line_number": 7, - "snippet": "hashlib.md5(user.password)", - "fingerprint": "31f32b01ee463426bea642b75fa25366_1", - "old_fingerprint": "f7ec1ec8f3cb22c75a2f7c5ace4b3b05_1", - "code_extract": "result = hashlib.md5(user.password)" - }, - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_md5", - "title": "Usage of weak hashing library on a password (MD5)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.md5(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_md5", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 10, - "end": 10, - "column": { - "start": 12, - "end": 25 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 10, - "end": 40 - }, - "content": "hashlib.md5(password.encode())" - }, - "parent_line_number": 11, - "snippet": "hashlib.md5(password.encode())", - "fingerprint": "31f32b01ee463426bea642b75fa25366_2", - "old_fingerprint": "f7ec1ec8f3cb22c75a2f7c5ace4b3b05_2", - "code_extract": "result = hashlib.md5(password.encode())" - } - ] -}" -`; - -exports[`python_lang_weak_password_encryption_md5 ok 1`] = `"{}"`; diff --git a/tests/python/lang/weak_password_encryption_md5/test.js b/tests/python/lang/weak_password_encryption_md5/test.js index 5cae02f5c..e3ae6966d 100644 --- a/tests/python/lang/weak_password_encryption_md5/test.js +++ b/tests/python/lang/weak_password_encryption_md5/test.js @@ -1,16 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("bad", () => { - const testCase = "bad.py" - expect(invoke(testCase)).toMatchSnapshot() - }) + + test("bad", () => { + const testCase = "bad.py" - test("ok", () => { - const testCase = "ok.py" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("ok", () => { + const testCase = "ok.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/python/lang/weak_password_encryption_md5/testdata/bad.py b/tests/python/lang/weak_password_encryption_md5/testdata/bad.py index b53dd157f..977499344 100644 --- a/tests/python/lang/weak_password_encryption_md5/testdata/bad.py +++ b/tests/python/lang/weak_password_encryption_md5/testdata/bad.py @@ -1,12 +1,15 @@ import hashlib result = hashlib.md5() +# bearer:expected python_lang_weak_password_encryption_md5 result.update(user.password) result.digest() +# bearer:expected python_lang_weak_password_encryption_md5 result = hashlib.md5(user.password) result.digest() password = user.password +# bearer:expected python_lang_weak_password_encryption_md5 result = hashlib.md5(password.encode()) result.hexdigest() \ No newline at end of file diff --git a/tests/python/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap b/tests/python/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap deleted file mode 100644 index 5d039655a..000000000 --- a/tests/python/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap +++ /dev/null @@ -1,136 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`python_lang_weak_password_encryption_sha1 bad 1`] = ` -"{ - "critical": [ - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_sha1", - "title": "Usage of weak hashing library on a password (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), sha1 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.sha1(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_sha1", - "line_number": 4, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 4, - "end": 4, - "column": { - "start": 15, - "end": 28 - } - }, - "sink": { - "start": 4, - "end": 4, - "column": { - "start": 1, - "end": 29 - }, - "content": "result.update(user.password)" - }, - "parent_line_number": 4, - "snippet": "result.update(user.password)", - "fingerprint": "6f318fa85d638da4930de2d64f16a4d2_0", - "old_fingerprint": "60f59b3c3856ac329dff2a88ed8988b6_0", - "code_extract": "result.update(user.password)" - }, - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_sha1", - "title": "Usage of weak hashing library on a password (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), sha1 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.sha1(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_sha1", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 23, - "end": 36 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 10, - "end": 37 - }, - "content": "hashlib.sha1(user.password)" - }, - "parent_line_number": 7, - "snippet": "hashlib.sha1(user.password)", - "fingerprint": "6f318fa85d638da4930de2d64f16a4d2_1", - "old_fingerprint": "60f59b3c3856ac329dff2a88ed8988b6_1", - "code_extract": "result = hashlib.sha1(user.password)" - }, - { - "cwe_ids": [ - "326" - ], - "id": "python_lang_weak_password_encryption_sha1", - "title": "Usage of weak hashing library on a password (SHA1)", - "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), sha1 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`python\\nhashlib.sha1(user.password).digest()\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`python\\nhashlib.sha256(user.password).digest()\\n\`\`\`\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_sha1", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/bad.py", - "filename": ".", - "data_type": { - "category_uuid": "dd88aee5-9d40-4ad2-8983-0c791ddec47c", - "name": "Passwords" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 10, - "end": 10, - "column": { - "start": 12, - "end": 25 - } - }, - "sink": { - "start": 11, - "end": 11, - "column": { - "start": 10, - "end": 41 - }, - "content": "hashlib.sha1(password.encode())" - }, - "parent_line_number": 11, - "snippet": "hashlib.sha1(password.encode())", - "fingerprint": "6f318fa85d638da4930de2d64f16a4d2_2", - "old_fingerprint": "60f59b3c3856ac329dff2a88ed8988b6_2", - "code_extract": "result = hashlib.sha1(password.encode())" - } - ] -}" -`; - -exports[`python_lang_weak_password_encryption_sha1 ok 1`] = `"{}"`; diff --git a/tests/python/lang/weak_password_encryption_sha1/test.js b/tests/python/lang/weak_password_encryption_sha1/test.js index 5cae02f5c..e3ae6966d 100644 --- a/tests/python/lang/weak_password_encryption_sha1/test.js +++ b/tests/python/lang/weak_password_encryption_sha1/test.js @@ -1,16 +1,30 @@ -const { createInvoker, getEnvironment } = require("../../../helper.js") +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) describe(ruleId, () => { - const invoke = createInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase) - test("bad", () => { - const testCase = "bad.py" - expect(invoke(testCase)).toMatchSnapshot() - }) + + test("bad", () => { + const testCase = "bad.py" - test("ok", () => { - const testCase = "ok.py" - expect(invoke(testCase)).toMatchSnapshot() - }) -}) + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + + test("ok", () => { + const testCase = "ok.py" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + +}) \ No newline at end of file diff --git a/tests/python/lang/weak_password_encryption_sha1/testdata/bad.py b/tests/python/lang/weak_password_encryption_sha1/testdata/bad.py index 522f1fb76..abc1e90c7 100644 --- a/tests/python/lang/weak_password_encryption_sha1/testdata/bad.py +++ b/tests/python/lang/weak_password_encryption_sha1/testdata/bad.py @@ -1,12 +1,15 @@ import hashlib result = hashlib.sha1() +# bearer:expected python_lang_weak_password_encryption_sha1 result.update(user.password) result.digest() +# bearer:expected python_lang_weak_password_encryption_sha1 result = hashlib.sha1(user.password) result.digest() password = user.password +# bearer:expected python_lang_weak_password_encryption_sha1 result = hashlib.sha1(password.encode()) result.hexdigest() \ No newline at end of file