insecure-hash-functions

Try in Playground
python-securitySecurityError

0

md5
CWE-327

Do not use a broken or risky cryptographic algorithm. This exposes you to unwanted attacks.

It checks the following modules

  • hashlib
  • cryptography

Learn More

  • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
  • CWE-328 - Use of Weak Hash

Ast Rule: function call


insecure-hash-functions

How to write a rule
function checkAlgorithm(node, hashMethod) {
  if (!(node.functionName.value === "new" && node.moduleOrObject.value === "hashlib")) {
    return;
  }
  if (!node.arguments || !node.arguments.values || !node.context){
    return;
  }

  const useOutdatedHashMethod = node.arguments.values
  	.filter(a => a.value && a.value.str.toLowerCase() == `'${hashMethod}'`).length > 0;

  const allPackages = node.context.imports
  	.filter(i => i.packages)
  	.flatMap(i => i.packages.map(p => p.name.str));
  const useHashlib = allPackages.filter(i => i === "hashlib").length > 0;

  if(useOutdatedHashMethod && useHashlib){
    const error = buildError(node.start.line, node.start.col, node.end.line, node.end.col, `Use of insecure hashing method ${hashMethod}`, "CRITICAL", "SECURITY");
    addError(error);
  } 
}

const checkHashlib = (node) => {
  const methods = ["md4", "md5", "sha1"];
  methods.forEach(method => {
    checkAlgorithm(node, method);
  });
}

const checkCryptography = (node) => {
  if(node.moduleOrObject && node.moduleOrObject.value === "hashes" && node.functionName && node.functionName.value === "MD5") {
		const useHashes = node.context.imports.filter(i => i.pkg && i.pkg.value === "cryptography.hazmat.primitives" && i.elements && i.elements.map(e => e.name.value).includes("hashes")).length > 0;
    if (useHashes) {
      const error = buildError(node.functionName.start.line, node.functionName.start.col, 
                               node.functionName.end.line, node.functionName.end.col, 
                               "MD5 is not secure", "ERROR", "SECURITY");
      const edit = buildEditUpdate(node.functionName.start.line, node.functionName.start.col, node.functionName.end.line, node.functionName.end.col, "SHA3_256")
      const fix = buildFix("use SHA3_256 instead", [edit]);
      addError(error.addFix(fix));
    }
  }
};


function visit(node, filename) {
  checkHashlib(node);
  checkCryptography(node);
}

cryptography-fail.py

Expected test result: has error

from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.MD5())

cryptography-fail.py

Expected test result: has error

from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.MD5())

cryptography-fail.py

Expected test result: no error

from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.SHA256())

hashlib-fail.py

Expected test result: has error

Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.