-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(python): add cwe-328 weak hash rules (#414)
- Loading branch information
Showing
14 changed files
with
368 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| imports: | ||
| - python_shared_lang_import1 | ||
| - python_shared_lang_datatype | ||
| patterns: | ||
| - pattern: | | ||
| $<FUNCTION>($<OPTIONAL_DATA_TYPE>$<...>) | ||
| filters: | ||
| - variable: FUNCTION | ||
| detection: python_shared_lang_import1 | ||
| scope: cursor | ||
| filters: | ||
| - variable: MODULE1 | ||
| values: [zlib] | ||
| - variable: NAME | ||
| values: [adler32] | ||
| - either: | ||
| - variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| - not: | ||
| variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| languages: | ||
| - python | ||
| metadata: | ||
| description: "Usage of weak hashing library (Adler-32)" | ||
| remediation_message: |- | ||
| ## Description | ||
| Adler-32 is a weak hashing algorithm that offers minimal security. It is not suitable for protecting data against intentional modifications. | ||
| ## Remediations | ||
| - **Do not** use Adler-32 for hashing when security is a concern. Its simplicity and speed do not compensate for its lack of protection against data tampering. | ||
| ```python | ||
| myhash = zlib.adler32(data) # unsafe | ||
| ``` | ||
| - **Do** opt for stronger hashing algorithms like SHA-256 to ensure data integrity and security. | ||
| ```python | ||
| myhash = hashlib.sha256(data).digest() | ||
| ``` | ||
| cwe_id: | ||
| - 328 | ||
| id: python_lang_weak_hash_adler32 | ||
| documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_hash_adler32 | ||
| severity: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| imports: | ||
| - python_shared_lang_import1 | ||
| - python_shared_lang_datatype | ||
| patterns: | ||
| - pattern: | | ||
| $<FUNCTION>($<OPTIONAL_DATA_TYPE>$<...>) | ||
| filters: | ||
| - variable: FUNCTION | ||
| detection: python_shared_lang_import1 | ||
| scope: cursor | ||
| filters: | ||
| - variable: MODULE1 | ||
| values: [zlib] | ||
| - variable: NAME | ||
| values: [crc32] | ||
| - either: | ||
| - variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| - not: | ||
| variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| languages: | ||
| - python | ||
| metadata: | ||
| description: "Usage of weak hashing library (CRC32)" | ||
| remediation_message: |- | ||
| ## Description | ||
| The use of CRC32 for hashing is insecure. CRC32 is designed for error-checking and not for security purposes, making it vulnerable to intentional data tampering. | ||
| ## Remediations | ||
| - **Do not** use CRC32 for hashing when security is a concern. It is not secure against intentional data modifications. | ||
| ```python | ||
| myhash = zlib.crc32(data) # unsafe | ||
| ``` | ||
| - **Do** opt for stronger hashing algorithms like SHA-256 to ensure data integrity and security. | ||
| ```python | ||
| myhash = hashlib.sha256(data).digest() | ||
| ``` | ||
| cwe_id: | ||
| - 328 | ||
| id: python_lang_weak_hash_crc32 | ||
| documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_hash_crc32 | ||
| severity: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| imports: | ||
| - python_shared_lang_import1 | ||
| - python_shared_lang_datatype | ||
| patterns: | ||
| - pattern: $<FUNCTION>($<ALGORITHM>, $<OPTIONAL_DATA_TYPE>$<...>) | ||
| filters: | ||
| - variable: FUNCTION | ||
| detection: python_shared_lang_import1 | ||
| scope: cursor | ||
| filters: | ||
| - variable: MODULE1 | ||
| values: [hashlib] | ||
| - variable: NAME | ||
| values: [new] | ||
| - variable: ALGORITHM | ||
| string_regex: (?i)\Adss | ||
| - either: | ||
| - variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| - not: | ||
| variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| - pattern: $<DSS>.update($<OPTIONAL_DATA_TYPE>) | ||
| filters: | ||
| - variable: DSS | ||
| detection: python_lang_weak_hash_dss_init | ||
| scope: cursor | ||
| - either: | ||
| - variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| - not: | ||
| variable: OPTIONAL_DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| auxiliary: | ||
| - id: python_lang_weak_hash_dss_init | ||
| patterns: | ||
| - pattern: $<FUNCTION>($<ALGORITHM>$<...>) | ||
| filters: | ||
| - variable: FUNCTION | ||
| detection: python_shared_lang_import1 | ||
| scope: cursor | ||
| filters: | ||
| - variable: MODULE1 | ||
| values: [hashlib] | ||
| - variable: NAME | ||
| values: [new] | ||
| - variable: ALGORITHM | ||
| string_regex: (?i)\Adss | ||
| languages: | ||
| - python | ||
| skip_data_types: | ||
| - "Unique Identifier" | ||
| - "Passwords" # see python_lang_weak_password_hash_dss | ||
| metadata: | ||
| description: "Usage of weak hashing library (DSS)" | ||
| remediation_message: |- | ||
| ## Description | ||
| Using a weak hashing library like DSS increases the risk of data breaches. DSS has known security flaws and vulnerabilities, and its use is no longer recommended. | ||
| ## Remediations | ||
| - **Do not** use DSS for hashing as it is considered a weak algorithm. This can compromise data security. | ||
| ```python | ||
| hashlib.new('dss', data).digest() # unsafe | ||
| ``` | ||
| - **Do** opt for stronger hashing algorithms like SHA-256 to enhance security. | ||
| ```python | ||
| hashlib.sha256(data).digest() | ||
| ``` | ||
| cwe_id: | ||
| - 328 | ||
| id: python_lang_weak_hash_dss | ||
| documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_hash_dss | ||
| cloud_code_suggestions: true | ||
| severity: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| const { | ||
| createNewInvoker, | ||
| getEnvironment, | ||
| } = require("../../../helper.js") | ||
| const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) | ||
|
|
||
| describe(ruleId, () => { | ||
| const invoke = createNewInvoker(ruleId, ruleFile, testBase) | ||
|
|
||
| test("weak_hash_adler32", () => { | ||
| const testCase = "main.py" | ||
|
|
||
| const results = invoke(testCase) | ||
|
|
||
| expect(results).toEqual({ | ||
| Missing: [], | ||
| Extra: [] | ||
| }) | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| import zlib | ||
|
|
||
| # bearer:expected python_lang_weak_hash_adler32 | ||
| zlib.adler32(user.email, 42) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| const { | ||
| createNewInvoker, | ||
| getEnvironment, | ||
| } = require("../../../helper.js") | ||
| const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) | ||
|
|
||
| describe(ruleId, () => { | ||
| const invoke = createNewInvoker(ruleId, ruleFile, testBase) | ||
|
|
||
| test("weak_hash_crc32", () => { | ||
| const testCase = "main.py" | ||
|
|
||
| const results = invoke(testCase) | ||
|
|
||
| expect(results).toEqual({ | ||
| Missing: [], | ||
| Extra: [] | ||
| }) | ||
| }) | ||
| }) |
Oops, something went wrong.