Merge "Add pycrypto to blacklist"
This commit is contained in:
Zuul
@@ -179,6 +179,19 @@ at https://httpoxy.org/.
|
|||||||
| | | - twisted.web.twcgi.CGIScript | |
|
| | | - twisted.web.twcgi.CGIScript | |
|
||||||
+------+---------------------+------------------------------------+-----------+
|
+------+---------------------+------------------------------------+-----------+
|
||||||
|
|
||||||
|
B413: import_pycrypto
|
||||||
|
---------------------
|
||||||
|
pycrypto library is known to have publicly disclosed buffer overflow
|
||||||
|
vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer
|
||||||
|
actively maintained and has been deprecated in favor of pyca/cryptography
|
||||||
|
library.
|
||||||
|
|
||||||
|
+------+---------------------+------------------------------------+-----------+
|
||||||
|
| ID | Name | Imports | Severity |
|
||||||
|
+======+=====================+====================================+===========+
|
||||||
|
| B413 | import_pycrypto | - Crypto | high |
|
||||||
|
+------+---------------------+------------------------------------+-----------+
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from bandit.blacklists import utils
|
from bandit.blacklists import utils
|
||||||
@@ -268,4 +281,10 @@ def gen_blacklist():
|
|||||||
'{name} module.', 'HIGH'
|
'{name} module.', 'HIGH'
|
||||||
))
|
))
|
||||||
|
|
||||||
|
sets.append(utils.build_conf_dict(
|
||||||
|
'import_pycrypto', 'B413', ['Crypto'],
|
||||||
|
'The pyCrypto library and its module {name} are no longer actively '
|
||||||
|
'maintained and have been deprecated. '
|
||||||
|
'Consider using pyca/cryptography library.', 'HIGH'))
|
||||||
|
|
||||||
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
|
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
|
||||||
|
|||||||
8
examples/pycrypto.py
Normal file
8
examples/pycrypto.py
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
from Crypto.Cipher import AES
|
||||||
|
from Crypto import Random
|
||||||
|
|
||||||
|
|
||||||
|
def test_pycrypto():
|
||||||
|
key = b'Sixteen byte key'
|
||||||
|
iv = Random.new().read(AES.block_size)
|
||||||
|
cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv)
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
PyCrypto library is no longer actively maintained and should be replaced
|
||||||
|
with ``cryptography`` library. A new rule is added to detect and warn the
|
||||||
|
import and use of ``pycrypto`` module.
|
||||||
@@ -721,3 +721,11 @@ class FunctionalTests(testtools.TestCase):
|
|||||||
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
|
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
|
||||||
}
|
}
|
||||||
self.check_example('hashlib_new_insecure_functions.py', expect)
|
self.check_example('hashlib_new_insecure_functions.py', expect)
|
||||||
|
|
||||||
|
def test_blacklist_pycrypto(self):
|
||||||
|
'''Test importing pycrypto module'''
|
||||||
|
expect = {
|
||||||
|
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
|
||||||
|
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
|
||||||
|
}
|
||||||
|
self.check_example('pycrypto.py', expect)
|
||||||
|
|||||||
Reference in New Issue
Block a user