diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 87eccc05..52a23e9a 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -55,20 +55,25 @@ Deserialization with the marshal module is possibly dangerous. B303: md5 --------- -Use of insecure MD2, MD4, or MD5 hash function. +Use of insecure MD2, MD4, MD5, or SHA1 hash function. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B303 | md5 | - hashlib.md5 | Medium | +| | | - hashlib.sha1 | | | | | - Crypto.Hash.MD2.new | | | | | - Crypto.Hash.MD4.new | | | | | - Crypto.Hash.MD5.new | | +| | | - Crypto.Hash.SHA.new | | | | | - Cryptodome.Hash.MD2.new | | | | | - Cryptodome.Hash.MD4.new | | | | | - Cryptodome.Hash.MD5.new | | +| | | - Cryptodome.Hash.SHA.new | | | | | - cryptography.hazmat.primitives | | | | | .hashes.MD5 | | +| | | - cryptography.hazmat.primitives | | +| | | .hashes.SHA1 | | +------+---------------------+------------------------------------+-----------+ B304 - B305: ciphers and modes @@ -329,14 +334,18 @@ def gen_blacklist(): sets.append(utils.build_conf_dict( 'md5', 'B303', ['hashlib.md5', + 'hashlib.sha1', 'Crypto.Hash.MD2.new', 'Crypto.Hash.MD4.new', 'Crypto.Hash.MD5.new', + 'Crypto.Hash.SHA.new', 'Cryptodome.Hash.MD2.new', 'Cryptodome.Hash.MD4.new', 'Cryptodome.Hash.MD5.new', - 'cryptography.hazmat.primitives.hashes.MD5'], - 'Use of insecure MD2, MD4, or MD5 hash function.' + 'Cryptodome.Hash.SHA.new', + 'cryptography.hazmat.primitives.hashes.MD5', + 'cryptography.hazmat.primitives.hashes.SHA1'], + 'Use of insecure MD2, MD4, MD5, or SHA1 hash function.' )) sets.append(utils.build_conf_dict( diff --git a/examples/crypto-md5.py b/examples/crypto-md5.py index d5b85c26..045740c3 100644 --- a/examples/crypto-md5.py +++ b/examples/crypto-md5.py @@ -2,9 +2,11 @@ from cryptography.hazmat.primitives import hashes from Crypto.Hash import MD2 as pycrypto_md2 from Crypto.Hash import MD4 as pycrypto_md4 from Crypto.Hash import MD5 as pycrypto_md5 +from Crypto.Hash import SHA as pycrypto_sha from Cryptodome.Hash import MD2 as pycryptodomex_md2 from Cryptodome.Hash import MD4 as pycryptodomex_md4 from Cryptodome.Hash import MD5 as pycryptodomex_md5 +from Cryptodome.Hash import SHA as pycryptodomex_sha import hashlib hashlib.md5(1) @@ -14,12 +16,17 @@ abc = str.replace(hashlib.md5("1"), "###") print(hashlib.md5("1")) +hashlib.sha1(1) + pycrypto_md2.new() pycrypto_md4.new() pycrypto_md5.new() +pycrypto_sha.new() pycryptodomex_md2.new() pycryptodomex_md4.new() pycryptodomex_md5.new() +pycryptodomex_sha.new() hashes.MD5() +hashes.SHA1() diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index b13edc5a..db6e3db2 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -120,16 +120,16 @@ class FunctionalTests(testtools.TestCase): def test_crypto_md5(self): '''Test the `hashlib.md5` example.''' expect = { - 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 11, 'HIGH': 0}, - 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 11} + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 15, 'HIGH': 0}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 15} } self.check_example('crypto-md5.py', expect) def test_ciphers(self): '''Test the `Crypto.Cipher` example.''' expect = { - 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13}, - 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13} + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 13}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 14} } self.check_example('ciphers.py', expect)