Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds check for crypt module usage as weak hash #1018

Merged
merged 1 commit into from Apr 10, 2023
Merged

Adds check for crypt module usage as weak hash #1018

merged 1 commit into from Apr 10, 2023

Conversation

ericwb
Copy link
Member

@ericwb ericwb commented Apr 10, 2023
edited

The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter.

The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT, METHOD_MD5, and METHOD_BLOWFISH.

Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect.

https://docs.python.org/3.11/library/crypt.html#module-crypt

Fixes #1017

@ericwb
Adds check for crypt module usage as weak hash
06ffbae 
The crypt module also permits creating weak hashes such as MD5
just like hashlib. This change extends the hashlib plugin to add
the extra checks on calls to crypt.crypt and crypt.mksalt which
both take a hash method parameter.

The new checks won't necessarily catch all weak hashes available
as the operating system might provide others that the crypt
module picks up. But it will capture cases with the default set.
Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH.

Also note that crypt.methods is supposed to return a list all
available hash methods. However, testing has shown that it can
return just METHOD_CRYPT, the weakest of the bunch. And passing
None as args to these module functions will default to the
highest available hash from crypt.methods. So this also can
be weak by default, but no reliable for Bandit to detect.

https://docs.python.org/3.11/library/crypt.html#module-crypt

Fixes PyCQA#1017

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb ericwb merged commit c4da1cb into PyCQA:main Apr 10, 2023
13 checks passed
@ericwb ericwb deleted the crypt.crypt branch April 10, 2023 16:55
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
8f07fc8 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
5ccb3d5 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
08738a0 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
778b977 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
44cfa1f 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
24c1fcd 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
9226256 
Ref: PyCQA/bandit#1018
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
4b48d08 
Ref: PyCQA/bandit#1018
@mkniewallner mkniewallner mentioned this pull request Mar 9, 2024
Merged
mkniewallner added a commit to mkniewallner/ruff that referenced this pull request Mar 9, 2024
@mkniewallner
feat(rules): flag weak hashes in crypt for S324
eeb7a04 
Ref: PyCQA/bandit#1018
charliermarsh pushed a commit to astral-sh/ruff that referenced this pull request Mar 11, 2024
@mkniewallner
[flake8-bandit] Implement upstream updates for S311, S324 and `…
bc693ea 
…S605` (#10313)

## Summary

Pick up updates made in latest
[releases](https://github.com/PyCQA/bandit/releases) of `bandit`:
- `S311`: PyCQA/bandit#940 and
PyCQA/bandit#1096
- `S324`: PyCQA/bandit#1018
- `S605`: PyCQA/bandit#1116

## Test Plan

Snapshot tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sigmavirus24 sigmavirus24 sigmavirus24 approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use of crypt should be flagged
2 participants
@ericwb @sigmavirus24