Skip to content

Commit

Permalink
feat(python): add cwe-327 broken/risky crypto algorithm rules (#424)
Browse files Browse the repository at this point in the history
  • Loading branch information
@didroe
didroe authored May 29, 2024
1 parent be64956 commit e43f6ab
Show file tree
Hide file tree
Showing 27 changed files with 828 additions and 0 deletions.
45 changes: 45 additions & 0 deletions rules/python/django/jwt_weak_encryption.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
patterns:
- pattern: |
SIMPLE_JWT = { $<...>$<KEY>: $<ALGORITHM>$<...> }
focus: ALGORITHM
filters:
- variable: KEY
string_regex: \AALGORITHM\z
- variable: ALGORITHM
detection: python_django_jwt_weak_encryption_none
scope: cursor
auxiliary:
- id: python_django_jwt_weak_encryption_none
patterns:
- pattern: $<NONE>
filters:
- variable: NONE
string_regex: (?i)\Anone\z
- None
languages:
- python
metadata:
description: Usage of weak encryption algorithm in JWT
remediation_message: |-
## Description
Implementing weak encryption algorithms in JWT (JSON Web Tokens) compromises the security of the tokens. This vulnerability occurs when an encryption algorithm that does not offer sufficient security strength is used, making the tokens susceptible to attacks.
## Remediations
- **Do** use robust encryption algorithms recommended for JWT. HS256 (HMAC with SHA-256) is a secure choice for signing JWTs.
```python
SIMPLE_JWT = {
"ALGORITHM": "HS256"
}
```
## References
- [OWASP weak encryption](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)
cwe_id:
- 327
id: python_django_jwt_weak_encryption
documentation_url: https://docs.bearer.com/reference/rules/python_django_jwt_weak_encryption
cloud_code_suggestions: true
severity: high
60 changes: 60 additions & 0 deletions rules/python/lang/jwt_weak_encryption.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
imports:
- python_shared_lang_import1
patterns:
- pattern: $<ENCODE>($<_>, $<_>, $<ALGORITHM>$<...>)
filters:
- variable: ENCODE
detection: python_shared_lang_import1
filters:
- variable: MODULE1
values: [jwt]
- variable: NAME
values: [encode]
- variable: ALGORITHM
detection: python_lang_jwt_weak_encryption_none
scope: cursor
- pattern: $<ENCODE>($<...>algorithm=$<ALGORITHM>$<...>)
filters:
- variable: ENCODE
detection: python_shared_lang_import1
filters:
- variable: MODULE1
values: [jwt]
- variable: NAME
values: [encode]
- variable: ALGORITHM
detection: python_lang_jwt_weak_encryption_none
scope: cursor
auxiliary:
- id: python_lang_jwt_weak_encryption_none
patterns:
- pattern: $<NONE>
filters:
- variable: NONE
string_regex: (?i)\Anone\z
- None
languages:
- python
metadata:
description: Usage of weak encryption algorithm in JWT
remediation_message: |-
## Description
Implementing weak encryption algorithms in JWT (JSON Web Tokens) compromises the security of the tokens. This vulnerability occurs when an encryption algorithm that does not offer sufficient security strength is used, making the tokens susceptible to attacks.
## Remediations
- **Do** use robust encryption algorithms recommended for JWT. HS256 (HMAC with SHA-256) is a secure choice for signing JWTs.
```python
jwt.encode(payload, secret, algorithm="HS256")
```
## References
- [OWASP weak encryption](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)
cwe_id:
- 327
id: python_lang_jwt_weak_encryption
documentation_url: https://docs.bearer.com/reference/rules/python_lang_jwt_weak_encryption
cloud_code_suggestions: true
severity: high
63 changes: 63 additions & 0 deletions rules/python/lang/weak_encryption_blowfish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
imports:
- python_shared_lang_datatype
- python_shared_lang_import2
patterns:
- pattern: $<CIPHER>.encrypt($<OPTIONAL_DATA_TYPE>$<...>)
filters:
- variable: CIPHER
detection: python_lang_weak_encryption_blowfish_instance
scope: cursor
- either:
- variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
- not:
variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
auxiliary:
- id: python_lang_weak_encryption_blowfish_instance
patterns:
- pattern: $<BLOWFISH>.new($<...>)
filters:
- variable: BLOWFISH
detection: python_shared_lang_import2
scope: cursor
filters:
- variable: MODULE1
values: [Crypto]
- variable: MODULE2
values: [Cipher]
- variable: NAME
values: [Blowfish]
languages:
- python
skip_data_types:
- Passwords # see python_lang_weak_password_encryption_blowfish
metadata:
description: "Usage of weak encryption algorithm (Blowfish)"
remediation_message: |-
## Description
Your code is at risk due to the use of Blowfish, a weak encryption algorithm. This vulnerability can lead to data breaches and compromises your security measures.
## Remediations
- **Do not** use Blowfish as it is outdated and vulnerable to attacks. Its use can significantly weaken your application's security.
- **Do** use stronger encryption algorithms to enhance data security. AES (Advanced Encryption Standard) is a recommended choice.
```python
from Crypto.Cipher import AES
cipher = AES.new(aes_key, AES.MODE_OCB)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
```
## References
- [PyCryptodome modern ciphers](https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html)
cwe_id:
- 327
id: python_lang_weak_encryption_blowfish
documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_encryption_blowfish
cloud_code_suggestions: true
severity: high
65 changes: 65 additions & 0 deletions rules/python/lang/weak_encryption_des.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
imports:
- python_shared_lang_datatype
- python_shared_lang_import2
patterns:
- pattern: $<CIPHER>.encrypt($<OPTIONAL_DATA_TYPE>$<...>)
filters:
- variable: CIPHER
detection: python_lang_weak_encryption_des_instance
scope: cursor
- either:
- variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
- not:
variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
auxiliary:
- id: python_lang_weak_encryption_des_instance
patterns:
- pattern: $<DES>.new($<...>)
filters:
- variable: DES
detection: python_shared_lang_import2
scope: cursor
filters:
- variable: MODULE1
values: [Crypto]
- variable: MODULE2
values: [Cipher]
- variable: NAME
values:
- DES
- DES3
languages:
- python
skip_data_types:
- Passwords # see python_lang_weak_password_encryption_des
metadata:
description: "Usage of weak encryption algorithm (DES)"
remediation_message: |-
## Description
Your code is at risk due to the use of DES (Data Encryption Standard), a weak encryption algorithm. This vulnerability can lead to data breaches and compromises your security measures.
## Remediations
- **Do not** use DES as it is outdated and vulnerable to attacks. Its use can significantly weaken your application's security.
- **Do** use stronger encryption algorithms to enhance data security. AES (Advanced Encryption Standard) is a recommended choice.
```python
from Crypto.Cipher import AES
cipher = AES.new(aes_key, AES.MODE_OCB)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
```
## References
- [PyCryptodome modern ciphers](https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html)
cwe_id:
- 327
id: python_lang_weak_encryption_des
documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_encryption_des
cloud_code_suggestions: true
severity: high
43 changes: 43 additions & 0 deletions rules/python/lang/weak_encryption_ecb_mode.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
imports:
- python_shared_lang_import2
patterns:
- pattern: $<AES>.MODE_ECB
filters:
- variable: AES
detection: python_shared_lang_import2
scope: cursor
filters:
- variable: MODULE1
values: [Crypto]
- variable: MODULE2
values: [Cipher]
- variable: NAME
values: [AES]
languages:
- python
metadata:
description: Usage of ECB cipher mode
remediation_message: |-
## Description
The ECB (Electronic Codebook) cipher mode is recognized as insecure and is not recommended for use in cryptographic protocols. This mode does not provide adequate data protection because it encrypts identical plaintext blocks into identical ciphertext blocks, making it vulnerable to pattern analysis. For stronger security, it's essential to use encryption algorithms that have built-in message integrity and do not require a mode of operation to be configured, such as ChaCha20-Poly1305 or, for older applications that do not support this, AES-256-GCM.
## Remediations
- **Do** choose ChaCha20-Poly1305 or AES-256-GCM for encryption. These algorithms include built-in message integrity, offering a more secure alternative to ECB mode.
```python
from Crypto.Cipher import ChaCha20_Poly1305
cipher = ChaCha20_Poly1305.new(key)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
```
## References
- [PyCryptodome modern ciphers](https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html)
cwe_id:
- 327
id: python_lang_weak_encryption_ecb_mode
documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_encryption_ecb_mode
cloud_code_suggestions: true
severity: high
63 changes: 63 additions & 0 deletions rules/python/lang/weak_encryption_rc4.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
imports:
- python_shared_lang_datatype
- python_shared_lang_import2
patterns:
- pattern: $<CIPHER>.encrypt($<OPTIONAL_DATA_TYPE>$<...>)
filters:
- variable: CIPHER
detection: python_lang_weak_encryption_rc4_instance
scope: cursor
- either:
- variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
- not:
variable: OPTIONAL_DATA_TYPE
detection: python_shared_lang_datatype
scope: result
auxiliary:
- id: python_lang_weak_encryption_rc4_instance
patterns:
- pattern: $<RC4>.new($<...>)
filters:
- variable: RC4
detection: python_shared_lang_import2
scope: cursor
filters:
- variable: MODULE1
values: [Crypto]
- variable: MODULE2
values: [Cipher]
- variable: NAME
values: [ARC4]
languages:
- python
skip_data_types:
- Passwords # see python_lang_weak_password_encryption_rc4
metadata:
description: "Usage of weak encryption algorithm (RC4)"
remediation_message: |-
## Description
Your code is at risk due to the use of RC4 (Rivest's Cipher version 4), a weak encryption algorithm. This vulnerability can lead to data breaches and compromises your security measures.
## Remediations
- **Do not** use RC4 as it is outdated and vulnerable to attacks. Its use can significantly weaken your application's security.
- **Do** use stronger encryption algorithms to enhance data security. AES (Advanced Encryption Standard) is a recommended choice.
```python
from Crypto.Cipher import AES
cipher = AES.new(aes_key, AES.MODE_OCB)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
```
## References
- [PyCryptodome modern ciphers](https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html)
cwe_id:
- 327
id: python_lang_weak_encryption_rc4
documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_encryption_rc4
cloud_code_suggestions: true
severity: high
Loading

0 comments on commit e43f6ab

Please sign in to comment.