hashids-with-flask-secret-python

Author: ESS-ENN

rules/python/security/hashids-with-flask-secret-python.yml

@@ -0,0 +1,201 @@
+id: hashids-with-flask-secret-python
+severity: warning
+language: python
+message: >-
+      The Flask secret key is used as salt in HashIDs. The HashID mechanism
+      is not secure. By observing sufficient HashIDs, the salt used to construct
+      them can be recovered. This means the Flask secret key can be obtained by
+      attackers, through the HashIDs).
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
+      - http://carnage.github.io/2015/08/cryptanalysis-of-hashids
+utils:
+  hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...):
+    # hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: flask.current_app.config['SECRET_KEY']
+  hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...):
+    # hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: subscript
+            pattern: flask.current_app.config['SECRET_KEY']
+  hashids.Hashids($APP.config['SECRET_KEY'], ...):
+    # hashids.Hashids($APP.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: subscript
+            pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          has:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: neighbor
+              kind: assignment
+              pattern: $APP = flask.Flask($$$)
+  hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...):
+    # hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          has:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: neighbor
+              kind: assignment
+              pattern: $APP = flask.Flask($$$)
+  Hashids(salt=app.config['SECRET_KEY']):
+#    from hashids import Hashids
+#    from flask import current_app as app
+#    hash_id = Hashids(salt=app.config['SECRET_KEY'])
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          all:
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from hashids import Hashids
+            - any:
+              - has:
+                 stopBy: end
+                 kind: import_from_statement
+                 pattern: from flask import current_app as $APP
+              - has:
+                  stopBy: end
+                  kind: expression_statement
+                  has:
+                    stopBy: end
+                    kind: assignment
+                    pattern: $APP = Flask($$$)
+  Hashids(salt=current_app.config['SECRET_KEY']):
+    # from hashids import Hashids
+    # from flask import current_app
+    # hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: current_app.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          all:
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from hashids import Hashids
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from flask import current_app
+rule:
+ kind: call
+ any:
+   - matches: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids($APP.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
+   - matches: Hashids(salt=app.config['SECRET_KEY'])
+   - matches: Hashids(salt=current_app.config['SECRET_KEY'])

tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml

@@ -0,0 +1,230 @@
+id: hashids-with-flask-secret-python
+snapshots:
+  ? |-
+    from hashids import Hashids
+    app = Flask(__name__.split('.')[0])
+    hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+  : labels:
+    - source: Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+      style: primary
+      start: 74
+      end: 126
+    - source: Hashids
+      style: secondary
+      start: 74
+      end: 81
+    - source: salt
+      style: secondary
+      start: 96
+      end: 100
+    - source: app.config['SECRET_KEY']
+      style: secondary
+      start: 101
+      end: 125
+    - source: salt=app.config['SECRET_KEY']
+      style: secondary
+      start: 96
+      end: 125
+    - source: (min_length=4, salt=app.config['SECRET_KEY'])
+      style: secondary
+      start: 81
+      end: 126
+    - source: from hashids import Hashids
+      style: secondary
+      start: 0
+      end: 27
+    - source: app = Flask(__name__.split('.')[0])
+      style: secondary
+      start: 28
+      end: 63
+    - source: app = Flask(__name__.split('.')[0])
+      style: secondary
+      start: 28
+      end: 63
+    - source: |-
+        from hashids import Hashids
+        app = Flask(__name__.split('.')[0])
+        hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+      style: secondary
+      start: 0
+      end: 126
+  ? |
+    from hashids import Hashids
+    foo = Flask()
+    hashids = Hashids(min_length=4, salt=foo.config['SECRET_KEY'])
+  : labels:
+    - source: Hashids(min_length=4, salt=foo.config['SECRET_KEY'])
+      style: primary
+      start: 52
+      end: 104
+    - source: Hashids
+      style: secondary
+      start: 52
+      end: 59
+    - source: salt
+      style: secondary
+      start: 74
+      end: 78
+    - source: foo.config['SECRET_KEY']
+      style: secondary
+      start: 79
+      end: 103
+    - source: salt=foo.config['SECRET_KEY']
+      style: secondary
+      start: 74
+      end: 103
+    - source: (min_length=4, salt=foo.config['SECRET_KEY'])
+      style: secondary
+      start: 59
+      end: 104
+    - source: from hashids import Hashids
+      style: secondary
+      start: 0
+      end: 27
+    - source: foo = Flask()
+      style: secondary
+      start: 28
+      end: 41
+    - source: foo = Flask()
+      style: secondary
+      start: 28
+      end: 41
+    - source: |
+        from hashids import Hashids
+        foo = Flask()
+        hashids = Hashids(min_length=4, salt=foo.config['SECRET_KEY'])
+      style: secondary
+      start: 0
+      end: 105
+  ? |
+    from hashids import Hashids
+    from flask import current_app
+    hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+  : labels:
+    - source: Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+      style: primary
+      start: 68
+      end: 128
+    - source: Hashids
+      style: secondary
+      start: 68
+      end: 75
+    - source: salt
+      style: secondary
+      start: 90
+      end: 94
+    - source: current_app.config['SECRET_KEY']
+      style: secondary
+      start: 95
+      end: 127
+    - source: salt=current_app.config['SECRET_KEY']
+      style: secondary
+      start: 90
+      end: 127
+    - source: (min_length=5, salt=current_app.config['SECRET_KEY'])
+      style: secondary
+      start: 75
+      end: 128
+    - source: from hashids import Hashids
+      style: secondary
+      start: 0
+      end: 27
+    - source: from flask import current_app
+      style: secondary
+      start: 28
+      end: 57
+    - source: |
+        from hashids import Hashids
+        from flask import current_app
+        hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+      style: secondary
+      start: 0
+      end: 129
+  ? |
+    from hashids import Hashids
+    from flask import current_app as app
+    hash_id = Hashids(salt=app.config['SECRET_KEY'], min_length=34)
+  : labels:
+    - source: Hashids(salt=app.config['SECRET_KEY'], min_length=34)
+      style: primary
+      start: 75
+      end: 128
+    - source: Hashids
+      style: secondary
+      start: 75
+      end: 82
+    - source: salt
+      style: secondary
+      start: 83
+      end: 87
+    - source: app.config['SECRET_KEY']
+      style: secondary
+      start: 88
+      end: 112
+    - source: salt=app.config['SECRET_KEY']
+      style: secondary
+      start: 83
+      end: 112
+    - source: (salt=app.config['SECRET_KEY'], min_length=34)
+      style: secondary
+      start: 82
+      end: 128
+    - source: from hashids import Hashids
+      style: secondary
+      start: 0
+      end: 27
+    - source: from flask import current_app as app
+      style: secondary
+      start: 28
+      end: 64
+    - source: |
+        from hashids import Hashids
+        from flask import current_app as app
+        hash_id = Hashids(salt=app.config['SECRET_KEY'], min_length=34)
+      style: secondary
+      start: 0
+      end: 129
+  ? |
+    from hashids import Hashids
+    from flask import current_app as app
+    hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+  : labels:
+    - source: Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+      style: primary
+      start: 75
+      end: 127
+    - source: Hashids
+      style: secondary
+      start: 75
+      end: 82
+    - source: salt
+      style: secondary
+      start: 97
+      end: 101
+    - source: app.config['SECRET_KEY']
+      style: secondary
+      start: 102
+      end: 126
+    - source: salt=app.config['SECRET_KEY']
+      style: secondary
+      start: 97
+      end: 126
+    - source: (min_length=4, salt=app.config['SECRET_KEY'])
+      style: secondary
+      start: 82
+      end: 127
+    - source: from hashids import Hashids
+      style: secondary
+      start: 0
+      end: 27
+    - source: from flask import current_app as app
+      style: secondary
+      start: 28
+      end: 64
+    - source: |
+        from hashids import Hashids
+        from flask import current_app as app
+        hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+      style: secondary
+      start: 0
+      end: 128

tests/python/hashids-with-flask-secret-python-test.yml

@@ -0,0 +1,25 @@
+id: hashids-with-flask-secret-python
+valid:
+  - |
+    hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+invalid:
+  - |
+    from hashids import Hashids
+    from flask import current_app as app
+    hash_id = Hashids(salt=app.config['SECRET_KEY'], min_length=34)
+  - |
+    from hashids import Hashids
+    from flask import current_app as app
+    hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])
+  - |
+    from hashids import Hashids
+    from flask import current_app
+    hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+  - |
+    from hashids import Hashids
+    foo = Flask()
+    hashids = Hashids(min_length=4, salt=foo.config['SECRET_KEY'])
+  - |
+    from hashids import Hashids
+    app = Flask(__name__.split('.')[0])
+    hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY'])