feat(python): add cwe-326 inadequate encryption strength rules

Bearer · May 28, 2024 · 5c62396 · 5c62396
1 parent be64956
commit 5c62396
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 3 deletions.
diff --git a/rules/python/django/weak_secret_key.yml b/rules/python/django/weak_secret_key.yml
@@ -0,0 +1,38 @@
+patterns:
+  - pattern: $<NAME> = $<KEY>
+    filters:
+      - variable: NAME
+        values:
+          - SECRET_KEY
+          - CRYPTOGRAPHY_KEY
+      - variable: KEY
+        length_less_than: 12
+languages:
+  - python
+metadata:
+  description: Usage of weak secret key
+  remediation_message: |-
+    ## Description
+
+    Weak secret keys can compromise data security. To ensure effective encryption, secret keys should be 12 bytes or greater.
+
+    ## Remediations
+
+    - **Do not** use secret keys shorter than 12 bytes. Short keys are easier to crack, putting your data at risk.
+      ```python
+      SECRET_KEY = "weak" # unsafe
+      ```
+    - **Do** ensure your secret keys are 12 bytes or longer to maintain strong encryption and protect sensitive data.
+      ```python
+      SECRET_KEY = "correct-horse-battery-staple"
+      ```
+
+    ## References
+
+    - [Django secret key setting and recommended best practice](https://docs.djangoproject.com/en/5.0/ref/settings/#std:setting-SECRET_KEY)
+    - [django-cryptography documentation](https://django-cryptography.readthedocs.io/en/latest/)
+  cwe_id:
+    - 326
+  id: python_django_weak_secret_key
+  documentation_url: https://docs.bearer.com/reference/rules/python_django_weak_secret_key
+severity: high
diff --git a/rules/python/lang/weak_hash_dss.yml b/rules/python/lang/weak_hash_dss.yml
@@ -53,7 +53,6 @@ auxiliary:
 languages:
   - python
 skip_data_types:
-  - "Unique Identifier"
   - "Passwords" # see python_lang_weak_password_hash_dss
 metadata:
   description: "Usage of weak hashing library (DSS)"

diff --git a/rules/python/lang/weak_hash_md5.yml b/rules/python/lang/weak_hash_md5.yml
@@ -81,7 +81,6 @@ auxiliary:
 languages:
   - python
 skip_data_types:
-  - "Unique Identifier"
   - "Passwords" # see python_lang_weak_password_encryption_md5
 metadata:
   description: "Usage of weak hashing library (MDx)"

diff --git a/rules/python/lang/weak_hash_sha1.yml b/rules/python/lang/weak_hash_sha1.yml
@@ -81,7 +81,6 @@ auxiliary:
 languages:
   - python
 skip_data_types:
-  - "Unique Identifier"
   - "Passwords" # see python_lang_weak_password_encryption_sha1
 metadata:
   description: "Usage of weak hashing library (SHA-1)"

diff --git a/tests/python/django/weak_secret_key/test.js b/tests/python/django/weak_secret_key/test.js
@@ -0,0 +1,20 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("weak_secret_key", () => {
+    const testCase = "main.py"
+
+    const results = invoke(testCase)
+
+    expect(results).toEqual({
+      Missing: [],
+      Extra: []
+    })
+  })
+})
diff --git a/tests/python/django/weak_secret_key/testdata/main.py b/tests/python/django/weak_secret_key/testdata/main.py
@@ -0,0 +1,7 @@
+SECRET_KEY = "correct-horse-battery-staple"
+# bearer:expected python_django_weak_secret_key
+SECRET_KEY = "weak"
+
+CRYPTOGRAPHY_KEY = "correct-horse-battery-staple"
+# bearer:expected python_django_weak_secret_key
+CRYPTOGRAPHY_KEY = "weak"