Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds check for crypt module usage as weak hash #1018

Merged
merged 1 commit into from
Apr 10, 2023
Merged

Conversation

ericwb
Copy link
Member

@ericwb ericwb commented Apr 10, 2023

The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter.

The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT, METHOD_MD5, and METHOD_BLOWFISH.

Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect.

https://docs.python.org/3.11/library/crypt.html#module-crypt

Fixes #1017

The crypt module also permits creating weak hashes such as MD5
just like hashlib. This change extends the hashlib plugin to add
the extra checks on calls to crypt.crypt and crypt.mksalt which
both take a hash method parameter.

The new checks won't necessarily catch all weak hashes available
as the operating system might provide others that the crypt
module picks up. But it will capture cases with the default set.
Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH.

Also note that crypt.methods is supposed to return a list all
available hash methods. However, testing has shown that it can
return just METHOD_CRYPT, the weakest of the bunch. And passing
None as args to these module functions will default to the
highest available hash from crypt.methods. So this also can
be weak by default, but no reliable for Bandit to detect.

https://docs.python.org/3.11/library/crypt.html#module-crypt

Fixes PyCQA#1017

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb ericwb merged commit c4da1cb into PyCQA:main Apr 10, 2023
@ericwb ericwb deleted the crypt.crypt branch April 10, 2023 16:55
charliermarsh pushed a commit to astral-sh/ruff that referenced this pull request Mar 11, 2024
…S605` (#10313)

## Summary

Pick up updates made in latest
[releases](https://github.com/PyCQA/bandit/releases) of `bandit`:
- `S311`: PyCQA/bandit#940 and
PyCQA/bandit#1096
- `S324`: PyCQA/bandit#1018
- `S605`: PyCQA/bandit#1116

## Test Plan

Snapshot tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Use of crypt should be flagged
2 participants