From dc3ff2d91785eee49394bd7c8b9e75ddfb616ea4 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Wed, 27 Dec 2017 21:41:15 -0600 Subject: [PATCH] Add pycrypto to blacklist This patch set adds pyCrypto to bandit's blacklist, so bandit will strongly advise against using pyCrypto. As mentioned in the bug, this may cause false positives if people use pyCrytodome, but will be tracked and addressed in follow up patch set. Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146 Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2 Closes-Bug: #1655973 --- bandit/blacklists/imports.py | 19 +++++++++++++++++++ examples/pycrypto.py | 8 ++++++++ .../add-pycrypto-warn-c430f40f1d0fb44a.yaml | 6 ++++++ tests/functional/test_functional.py | 8 ++++++++ 4 files changed, 41 insertions(+) create mode 100644 examples/pycrypto.py create mode 100644 releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py index 833e1815..6805a02e 100644 --- a/bandit/blacklists/imports.py +++ b/bandit/blacklists/imports.py @@ -179,6 +179,19 @@ at https://httpoxy.org/. | | | - twisted.web.twcgi.CGIScript | | +------+---------------------+------------------------------------+-----------+ +B413: import_pycrypto +--------------------- +pycrypto library is known to have publicly disclosed buffer overflow +vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer +actively maintained and has been deprecated in favor of pyca/cryptography +library. + ++------+---------------------+------------------------------------+-----------+ +| ID | Name | Imports | Severity | ++======+=====================+====================================+===========+ +| B413 | import_pycrypto | - Crypto | high | ++------+---------------------+------------------------------------+-----------+ + """ from bandit.blacklists import utils @@ -268,4 +281,10 @@ def gen_blacklist(): '{name} module.', 'HIGH' )) + sets.append(utils.build_conf_dict( + 'import_pycrypto', 'B413', ['Crypto'], + 'The pyCrypto library and its module {name} are no longer actively ' + 'maintained and have been deprecated. ' + 'Consider using pyca/cryptography library.', 'HIGH')) + return {'Import': sets, 'ImportFrom': sets, 'Call': sets} diff --git a/examples/pycrypto.py b/examples/pycrypto.py new file mode 100644 index 00000000..8fa00c7a --- /dev/null +++ b/examples/pycrypto.py @@ -0,0 +1,8 @@ +from Crypto.Cipher import AES +from Crypto import Random + + +def test_pycrypto(): + key = b'Sixteen byte key' + iv = Random.new().read(AES.block_size) + cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv) diff --git a/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml b/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml new file mode 100644 index 00000000..cc4166cb --- /dev/null +++ b/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + PyCrypto library is no longer actively maintained and should be replaced + with ``cryptography`` library. A new rule is added to detect and warn the + import and use of ``pycrypto`` module. diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 60dd5851..c13581c7 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -705,3 +705,11 @@ class FunctionalTests(testtools.TestCase): 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5} } self.check_example('hashlib_new_insecure_functions.py', expect) + + def test_blacklist_pycrypto(self): + '''Test importing pycrypto module''' + expect = { + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2} + } + self.check_example('pycrypto.py', expect)