Skip to content

Commit a34ecdf

Browse files
ESS-ENNESS-ENN
authored
Add Security Rules for Flask, Cassandra, and Couchbase in YAML Configs (#65)
* python-cassandra-empty-password-python * python-couchbase-empty-password-python * hashids-with-flask-secret-python
1 parent 2f95a8e commit a34ecdf

9 files changed

+1009
-0
lines changed

rules/python/security/hashids-with-flask-secret-python.yml

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
id: hashids-with-flask-secret-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
The Flask secret key is used as salt in HashIDs. The HashID mechanism
6+
is not secure. By observing sufficient HashIDs, the salt used to construct
7+
them can be recovered. This means the Flask secret key can be obtained by
8+
attackers, through the HashIDs).
9+
note: >-
10+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
11+
[REFERENCES]
12+
- https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
13+
- http://carnage.github.io/2015/08/cryptanalysis-of-hashids
14+
utils:
15+
hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...):
16+
# hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: attribute
22+
regex: ^hashids.Hashids$
23+
- has:
24+
stopBy: neighbor
25+
kind: argument_list
26+
has:
27+
stopBy: end
28+
kind: keyword_argument
29+
all:
30+
- has:
31+
stopBy: neighbor
32+
kind: identifier
33+
regex: ^salt$
34+
- has:
35+
stopBy: neighbor
36+
kind: subscript
37+
pattern: flask.current_app.config['SECRET_KEY']
38+
hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...):
39+
# hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
40+
kind: call
41+
all:
42+
- has:
43+
stopBy: neighbor
44+
kind: attribute
45+
regex: ^hashids.Hashids$
46+
- has:
47+
stopBy: neighbor
48+
kind: argument_list
49+
has:
50+
stopBy: neighbor
51+
kind: subscript
52+
pattern: flask.current_app.config['SECRET_KEY']
53+
hashids.Hashids($APP.config['SECRET_KEY'], ...):
54+
# hashids.Hashids($APP.config['SECRET_KEY'], ...)
55+
kind: call
56+
all:
57+
- has:
58+
stopBy: neighbor
59+
kind: attribute
60+
regex: ^hashids.Hashids$
61+
- has:
62+
stopBy: neighbor
63+
kind: argument_list
64+
has:
65+
stopBy: neighbor
66+
kind: subscript
67+
pattern: $APP.config['SECRET_KEY']
68+
- inside:
69+
stopBy: end
70+
kind: module
71+
has:
72+
stopBy: end
73+
kind: expression_statement
74+
has:
75+
stopBy: neighbor
76+
kind: assignment
77+
pattern: $APP = flask.Flask($$$)
78+
hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...):
79+
# hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
80+
kind: call
81+
all:
82+
- has:
83+
stopBy: neighbor
84+
kind: attribute
85+
regex: ^hashids.Hashids$
86+
- has:
87+
stopBy: neighbor
88+
kind: argument_list
89+
has:
90+
stopBy: end
91+
kind: keyword_argument
92+
all:
93+
- has:
94+
stopBy: neighbor
95+
kind: identifier
96+
regex: ^salt$
97+
- has:
98+
stopBy: neighbor
99+
kind: subscript
100+
pattern: $APP.config['SECRET_KEY']
101+
- inside:
102+
stopBy: end
103+
kind: module
104+
has:
105+
stopBy: end
106+
kind: expression_statement
107+
has:
108+
stopBy: neighbor
109+
kind: assignment
110+
pattern: $APP = flask.Flask($$$)
111+
Hashids(salt=app.config['SECRET_KEY']):
112+
# from hashids import Hashids
113+
# from flask import current_app as app
114+
# hash_id = Hashids(salt=app.config['SECRET_KEY'])
115+
kind: call
116+
all:
117+
- has:
118+
stopBy: neighbor
119+
kind: identifier
120+
regex: ^Hashids$
121+
- has:
122+
stopBy: neighbor
123+
kind: argument_list
124+
has:
125+
stopBy: end
126+
kind: keyword_argument
127+
all:
128+
- has:
129+
stopBy: neighbor
130+
kind: identifier
131+
regex: ^salt$
132+
- has:
133+
stopBy: neighbor
134+
kind: subscript
135+
pattern: $APP.config['SECRET_KEY']
136+
- inside:
137+
stopBy: end
138+
kind: module
139+
all:
140+
- has:
141+
stopBy: end
142+
kind: import_from_statement
143+
pattern: from hashids import Hashids
144+
- any:
145+
- has:
146+
stopBy: end
147+
kind: import_from_statement
148+
pattern: from flask import current_app as $APP
149+
- has:
150+
stopBy: end
151+
kind: expression_statement
152+
has:
153+
stopBy: end
154+
kind: assignment
155+
pattern: $APP = Flask($$$)
156+
Hashids(salt=current_app.config['SECRET_KEY']):
157+
# from hashids import Hashids
158+
# from flask import current_app
159+
# hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
160+
kind: call
161+
all:
162+
- has:
163+
stopBy: neighbor
164+
kind: identifier
165+
regex: ^Hashids$
166+
- has:
167+
stopBy: neighbor
168+
kind: argument_list
169+
has:
170+
stopBy: end
171+
kind: keyword_argument
172+
all:
173+
- has:
174+
stopBy: neighbor
175+
kind: identifier
176+
regex: ^salt$
177+
- has:
178+
stopBy: neighbor
179+
kind: subscript
180+
pattern: current_app.config['SECRET_KEY']
181+
- inside:
182+
stopBy: end
183+
kind: module
184+
all:
185+
- has:
186+
stopBy: end
187+
kind: import_from_statement
188+
pattern: from hashids import Hashids
189+
- has:
190+
stopBy: end
191+
kind: import_from_statement
192+
pattern: from flask import current_app
193+
rule:
194+
kind: call
195+
any:
196+
- matches: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
197+
- matches: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
198+
- matches: hashids.Hashids($APP.config['SECRET_KEY'], ...)
199+
- matches: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
200+
- matches: Hashids(salt=app.config['SECRET_KEY'])
201+
- matches: Hashids(salt=current_app.config['SECRET_KEY'])

0 commit comments

Comments
 (0)