Insecure hash functions created by hashlib.new() should be flagged
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
High
|
Rajath Agasthya |
Bug Description
Currently, bandit only flags if hashlib's md2(), md4(), md5() functions are used, but doesn't flag if those insecure functions are used via hashlib.new().
Example:
$ cat test.py
import hashlib
md5_hash = hashlib.new('md5')
print(md5_hash)
md4_hash = hashlib.new('md4')
print(md4_hash)
$ bandit test.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 2.7.13
[node_visitor] INFO Unable to find qualified name for module: test.py
Run started:2017-08-04 05:13:41.838568
Test results:
No issues identified.
Code scanned:
Total lines of code: 5
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
Changed in bandit: | |
status: | Confirmed → In Progress |
Slightly tricky one this, as if we add hashlib.new , then Bandit will incorrectly report on legitimate crypto, such as `hash = hashlib. new('sha256' )`
This would need us to be able to look beyond just the call and the calls content as well.