Bandit

Insecure hash functions created by hashlib.new() should be flagged

Bug #1708582 reported by Rajath Agasthya
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Fix Released
High
Rajath Agasthya

Bug Description

Currently, bandit only flags if hashlib's md2(), md4(), md5() functions are used, but doesn't flag if those insecure functions are used via hashlib.new().

Example:

$ cat test.py

import hashlib

md5_hash = hashlib.new('md5')
print(md5_hash)

md4_hash = hashlib.new('md4')
print(md4_hash)

$ bandit test.py

[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 2.7.13
[node_visitor] INFO Unable to find qualified name for module: test.py
Run started:2017-08-04 05:13:41.838568

Test results:
 No issues identified.

Code scanned:
 Total lines of code: 5
 Total lines skipped (#nosec): 0

Run metrics:
 Total issues (by severity):
  Undefined: 0
  Low: 0
  Medium: 0
  High: 0
 Total issues (by confidence):
  Undefined: 0
  Low: 0
  Medium: 0
  High: 0
Files skipped (0):

Revision history for this message
Luke Hinds (lhinds) wrote :

Slightly tricky one this, as if we add hashlib.new , then Bandit will incorrectly report on legitimate crypto, such as `hash = hashlib.new('sha256')`

This would need us to be able to look beyond just the call and the calls content as well.

Changed in bandit:
status: New → Confirmed
Revision history for this message
Rajath Agasthya (rajagast) wrote :

Yeah, it's possible to get the call args using AST and we can just compare it with known insecure hash functions functions.

In [3]: text = """hashlib.new('md5')"""

In [4]: tree = ast.parse(text)

In [5]: call = tree.body[0].value

In [6]: call
Out[6]: <_ast.Call at 0x10e3e3cd0>

In [7]: call.args[0].s
Out[7]: 'md5'

What do you think? I'm happy to take a shot at implementing this.

Changed in bandit:
assignee: nobody → Rajath Agasthya (rajagast)
Revision history for this message
Luke Hinds (lhinds) wrote :

Rajath,

Apologies for late reply, sure please go ahead (can see you have already assigned yourself).

Feel free to come on the security group meeting as well if you want to discuss any bandit topics - 17:00 UTC @ #openstack-meeting-alt (freenode)

Changed in bandit:
importance: Undecided → High
Rajath Agasthya (rajagast)
Changed in bandit:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/504544

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to bandit (master)

Reviewed: https://review.openstack.org/504544
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=a98519927be935eb6f331226c1fcc272822d4a68
Submitter: Zuul
Branch: master

commit a98519927be935eb6f331226c1fcc272822d4a68
Author: Rajath Agasthya <email address hidden>
Date: Fri Sep 15 18:25:55 2017 -0700

    Plugin to flag insecure hash functions created using hashlib.new()

    Currently, insecure hash function usage by calling hashlib.md5()
    is flagged in B303. But these hash functions can also be obtained using
    hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
    checks such usage.

    Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
    Closes-Bug: #1708582

Changed in bandit:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.