Adding a test for hardcoded passwords

2014-09-16 09:28:20 -07:00 · 2014-09-16 09:28:20 -07:00 · 6c5a79f37a
commit 6c5a79f37a
parent ee6d75dc95
4 changed files with 72 additions and 1 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -73,4 +73,7 @@ blacklist_imports:
        - info_libs:
            import: pickle, subprocess, Crypto
            level: INFO
-            message: "Consider possible security implications associated with {module} module."
+            message: "Consider possible security implications associated with {module} module."
+
+hardcoded_password:
+    word_list: "wordlist/default-passwords"
--- a/examples/hardcoded-passwords.py
+++ b/examples/hardcoded-passwords.py
@ -0,0 +1,7 @@
+def someFunction(user, password="Admin"):
+    print "Hi " + user
+
+def someFunction2(password):
+    if password == "root":
+        print "OK, logged in"
+
--- a/plugins/general_hardcoded_password.py
+++ b/plugins/general_hardcoded_password.py
@ -0,0 +1,46 @@
+# -*- coding:utf-8 -*-
+#
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import bandit
+from bandit.test_selector import *
+
+
+@takes_config
+@checks_strings
+def hardcoded_password(context, config):
+    word_list_file = ""
+
+    # try to read the word list file from config
+    if(config is not None and 'word_list' in config and
+            type(config['word_list']) == str):
+        word_list_file = config['word_list']
+
+    word_list = []
+
+    # try to open the word list file and read passwords from it
+    try:
+        f = open(word_list_file, 'r')
+    except (OSError, IOError):
+        return
+    else:
+        for word in f:
+            word_list.append(word.strip())
+        f.close()
+
+    # for every password in the list, check against the current string
+    for word in word_list:
+        if context.string_val == word:
+            return bandit.WARN, "Possible hardcoded password '(%s)'" % word
--- a/wordlist/default-passwords
+++ b/wordlist/default-passwords
@ -0,0 +1,15 @@
+Password
+password
+1234
+12345
+123456
+1234567
+12345678
+Password123
+password123
+admin
+Admin
+root
+Administrator
+administrator
+