openstack/bandit
Code Issues Proposed changes

Add sha-1 to list of insecure hashes

Browse Source 
With the news of a first collison implemented [1], bandit should
now start blacklisting the use of sha-1.

The sha-1 hash was added to the existing blacklist check B303 which
currently checks for MD5 and variants.

[1]: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Change-Id: I411d8d4aeb4d740635c60b559ecda72ab951b629
This commit is contained in:
Eric Brown 2017-02-23 11:05:04 -08:00
parent 87c8b70e7b
commit 35e35446b0
3 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
bandit/blacklists/calls.py
View File

@ -55,20 +55,25 @@ Deserialization with the marshal module is possibly dangerous.
B303: md5
---------
Use of insecure MD2, MD4, or MD5 hash function.
Use of insecure MD2, MD4, MD5, or SHA1 hash function.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Calls | Severity |
+======+=====================+====================================+===========+
| B303 | md5 | - hashlib.md5 | Medium |
| | | - hashlib.sha1 | |
| | | - Crypto.Hash.MD2.new | |
| | | - Crypto.Hash.MD4.new | |
| | | - Crypto.Hash.MD5.new | |
| | | - Crypto.Hash.SHA.new | |
| | | - Cryptodome.Hash.MD2.new | |
| | | - Cryptodome.Hash.MD4.new | |
| | | - Cryptodome.Hash.MD5.new | |
| | | - Cryptodome.Hash.SHA.new | |
| | | - cryptography.hazmat.primitives | |
| | | .hashes.MD5 | |
| | | - cryptography.hazmat.primitives | |
| | | .hashes.SHA1 | |
+------+---------------------+------------------------------------+-----------+
B304 - B305: ciphers and modes
@ -318,14 +323,18 @@ def gen_blacklist():
sets.append(utils.build_conf_dict(
'md5', 'B303',
['hashlib.md5',
'hashlib.sha1',
'Crypto.Hash.MD2.new',
'Crypto.Hash.MD4.new',
'Crypto.Hash.MD5.new',
'Crypto.Hash.SHA.new',
'Cryptodome.Hash.MD2.new',
'Cryptodome.Hash.MD4.new',
'Cryptodome.Hash.MD5.new',
'cryptography.hazmat.primitives.hashes.MD5'],
'Use of insecure MD2, MD4, or MD5 hash function.'
'Cryptodome.Hash.SHA.new',
'cryptography.hazmat.primitives.hashes.MD5',
'cryptography.hazmat.primitives.hashes.SHA1'],
'Use of insecure MD2, MD4, MD5, or SHA1 hash function.'
))
sets.append(utils.build_conf_dict(

7
examples/crypto-md5.py
View File

@ -2,9 +2,11 @@ from cryptography.hazmat.primitives import hashes
from Crypto.Hash import MD2 as pycrypto_md2
from Crypto.Hash import MD4 as pycrypto_md4
from Crypto.Hash import MD5 as pycrypto_md5
from Crypto.Hash import SHA as pycrypto_sha
from Cryptodome.Hash import MD2 as pycryptodomex_md2
from Cryptodome.Hash import MD4 as pycryptodomex_md4
from Cryptodome.Hash import MD5 as pycryptodomex_md5
from Cryptodome.Hash import SHA as pycryptodomex_sha
import hashlib
hashlib.md5(1)
@ -14,12 +16,17 @@ abc = str.replace(hashlib.md5("1"), "###")
print(hashlib.md5("1"))
hashlib.sha1(1)
pycrypto_md2.new()
pycrypto_md4.new()
pycrypto_md5.new()
pycrypto_sha.new()
pycryptodomex_md2.new()
pycryptodomex_md4.new()
pycryptodomex_md5.new()
pycryptodomex_sha.new()
hashes.MD5()
hashes.SHA1()

8
tests/functional/test_functional.py
View File

@ -120,16 +120,16 @@ class FunctionalTests(testtools.TestCase):
def test_crypto_md5(self):
'''Test the `hashlib.md5` example.'''
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 11, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 11}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 15, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 15}
}
self.check_example('crypto-md5.py', expect)
def test_ciphers(self):
'''Test the `Crypto.Cipher` example.'''
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 13},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 14}
}
self.check_example('ciphers.py', expect)