Merge "Add pycrypto to blacklist"

2018-02-12 22:45:50 +00:00 · 2018-02-12 22:45:50 +00:00 · 6fd7fccf70
parent a41f4ecab5 dc3ff2d917
commit 6fd7fccf70
4 changed files with 41 additions and 0 deletions
--- a/bandit/blacklists/imports.py
+++ b/bandit/blacklists/imports.py
@ -179,6 +179,19 @@ at https://httpoxy.org/.
 |      |                     | - twisted.web.twcgi.CGIScript      |           |
 +------+---------------------+------------------------------------+-----------+

+B413: import_pycrypto
+---------------------
+pycrypto library is known to have publicly disclosed buffer overflow
+vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer
+actively maintained and has been deprecated in favor of pyca/cryptography
+library.
+
+------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
+======+=====================+====================================+===========+
+| B413 | import_pycrypto     | - Crypto                           | high      |
+------+---------------------+------------------------------------+-----------+
+
 """

 from bandit.blacklists import utils
@ -268,4 +281,10 @@ def gen_blacklist():
        '{name} module.', 'HIGH'
        ))

+    sets.append(utils.build_conf_dict(
+        'import_pycrypto', 'B413', ['Crypto'],
+        'The pyCrypto library and its module {name} are no longer actively '
+        'maintained and have been deprecated. '
+        'Consider using pyca/cryptography library.', 'HIGH'))
+
    return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
--- a/examples/pycrypto.py
+++ b/examples/pycrypto.py
@ -0,0 +1,8 @@
+from Crypto.Cipher import AES
+from Crypto import Random
+
+
+def test_pycrypto():
+    key = b'Sixteen byte key'
+    iv = Random.new().read(AES.block_size)
+    cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv)
--- a/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml
+++ b/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    PyCrypto library is no longer actively maintained and should be replaced
+    with ``cryptography`` library. A new rule is added to detect and warn the
+    import and use of ``pycrypto`` module.
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -721,3 +721,11 @@ class FunctionalTests(testtools.TestCase):
            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
        }
        self.check_example('hashlib_new_insecure_functions.py', expect)
+
+    def test_blacklist_pycrypto(self):
+        '''Test importing pycrypto module'''
+        expect = {
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
+        }
+        self.check_example('pycrypto.py', expect)