feat(python): add weak password hash DSS

Bearer · May 28, 2024 · 86c6ff4 · 86c6ff4
1 parent c9e68bd
commit 86c6ff4
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 0 deletions.
diff --git a/rules/python/lang/weak_password_hash_dss.yml b/rules/python/lang/weak_password_hash_dss.yml
@@ -0,0 +1,68 @@
+imports:
+  - python_shared_lang_import1
+  - python_shared_lang_datatype
+patterns:
+  - pattern: $<FUNCTION>($<ALGORITHM>, $<DATA_TYPE>$<...>)
+    filters:
+      - variable: FUNCTION
+        detection: python_shared_lang_import1
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [hashlib]
+          - variable: NAME
+            values: [new]
+      - variable: ALGORITHM
+        string_regex: (?i)\Adss
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+  - pattern: $<DSS>.update($<DATA_TYPE>)
+    filters:
+      - variable: DSS
+        detection: python_lang_weak_password_hash_dss_init
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: python_lang_weak_password_hash_dss_init
+    patterns:
+      - pattern: $<FUNCTION>($<ALGORITHM>$<...>)
+        filters:
+          - variable: FUNCTION
+            detection: python_shared_lang_import1
+            scope: cursor
+            filters:
+              - variable: MODULE1
+                values: [hashlib]
+              - variable: NAME
+                values: [new]
+          - variable: ALGORITHM
+            string_regex: (?i)\Adss
+languages:
+  - python
+only_data_types:
+  - Passwords
+metadata:
+  description: Usage of weak hashing library on a password (DSS)
+  remediation_message: |-
+    ## Description
+
+    Using a weak hashing library like DSS increases the risk of data breaches. DSS has known security flaws and vulnerabilities, and its use is no longer recommended.
+
+    ## Remediations
+
+    - **Do not** use DSS for hashing passwords as it is considered a weak algorithm. This can compromise data security.
+      ```python
+      hashlib.new('dss', data).digest() # unsafe
+      ```
+    - **Do** use stronger hashing algorithms such as SHA-256 to enhance the security of stored passwords.
+      ```python
+      hashlib.sha256(data).digest()
+      ```
+  cwe_id:
+    - 326
+  id: python_lang_weak_password_hash_dss
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_password_hash_dss
+severity: medium
diff --git a/tests/python/lang/weak_password_hash_dss/test.js b/tests/python/lang/weak_password_hash_dss/test.js
@@ -0,0 +1,20 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("weak_password_hash_dss", () => {
+    const testCase = "main.py"
+
+    const results = invoke(testCase)
+
+    expect(results).toEqual({
+      Missing: [],
+      Extra: []
+    })
+  })
+})
diff --git a/tests/python/lang/weak_password_hash_dss/testdata/main.py b/tests/python/lang/weak_password_hash_dss/testdata/main.py
@@ -0,0 +1,10 @@
+# Use bearer:expected python_lang_weak_password_hash_dss to flag expected findings
+import hashlib
+
+# bearer:expected python_lang_weak_password_hash_dss
+result = hashlib.new('DSS', user.password, False)
+# bearer:expected python_lang_weak_password_hash_dss
+result.update(user.password)
+
+# ok (not a password)
+result = hashlib.new('DSS', user.name, False)