diff --git a/rules/python/lang/weak_password_hash_dss.yml b/rules/python/lang/weak_password_hash_dss.yml new file mode 100644 index 00000000..1668f300 --- /dev/null +++ b/rules/python/lang/weak_password_hash_dss.yml @@ -0,0 +1,68 @@ +imports: + - python_shared_lang_import1 + - python_shared_lang_datatype +patterns: + - pattern: $($, $$<...>) + filters: + - variable: FUNCTION + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [hashlib] + - variable: NAME + values: [new] + - variable: ALGORITHM + string_regex: (?i)\Adss + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result + - pattern: $.update($) + filters: + - variable: DSS + detection: python_lang_weak_password_hash_dss_init + scope: cursor + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_lang_weak_password_hash_dss_init + patterns: + - pattern: $($$<...>) + filters: + - variable: FUNCTION + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [hashlib] + - variable: NAME + values: [new] + - variable: ALGORITHM + string_regex: (?i)\Adss +languages: + - python +only_data_types: + - Passwords +metadata: + description: Usage of weak hashing library on a password (DSS) + remediation_message: |- + ## Description + + Using a weak hashing library like DSS increases the risk of data breaches. DSS has known security flaws and vulnerabilities, and its use is no longer recommended. + + ## Remediations + + - **Do not** use DSS for hashing passwords as it is considered a weak algorithm. This can compromise data security. + ```python + hashlib.new('dss', data).digest() # unsafe + ``` + - **Do** use stronger hashing algorithms such as SHA-256 to enhance the security of stored passwords. + ```python + hashlib.sha256(data).digest() + ``` + cwe_id: + - 326 + id: python_lang_weak_password_hash_dss + documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_password_hash_dss +severity: medium diff --git a/tests/python/lang/weak_password_hash_dss/test.js b/tests/python/lang/weak_password_hash_dss/test.js new file mode 100644 index 00000000..14572dcf --- /dev/null +++ b/tests/python/lang/weak_password_hash_dss/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("weak_password_hash_dss", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/lang/weak_password_hash_dss/testdata/main.py b/tests/python/lang/weak_password_hash_dss/testdata/main.py new file mode 100644 index 00000000..aa865c65 --- /dev/null +++ b/tests/python/lang/weak_password_hash_dss/testdata/main.py @@ -0,0 +1,10 @@ +# Use bearer:expected python_lang_weak_password_hash_dss to flag expected findings +import hashlib + +# bearer:expected python_lang_weak_password_hash_dss +result = hashlib.new('DSS', user.password, False) +# bearer:expected python_lang_weak_password_hash_dss +result.update(user.password) + +# ok (not a password) +result = hashlib.new('DSS', user.name, False)