Use of crypt should be flagged #1017
Labels
bug
Something isn't working
Comments
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Apr 10, 2023
The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter. The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH. Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect. https://docs.python.org/3.11/library/crypt.html#module-crypt Fixes PyCQA#1017 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Apr 10, 2023
The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter. The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH. Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect. https://docs.python.org/3.11/library/crypt.html#module-crypt Fixes PyCQA#1017 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Apr 10, 2023
The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter. The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH. Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect. https://docs.python.org/3.11/library/crypt.html#module-crypt Fixes PyCQA#1017 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
that referenced
this issue
Apr 10, 2023
The crypt module also permits creating weak hashes such as MD5 just like hashlib. This change extends the hashlib plugin to add the extra checks on calls to crypt.crypt and crypt.mksalt which both take a hash method parameter. The new checks won't necessarily catch all weak hashes available as the operating system might provide others that the crypt module picks up. But it will capture cases with the default set. Namely, METHOD_CRYPT", METHOD_MD5, and METHOD_BLOWFISH. Also note that crypt.methods is supposed to return a list all available hash methods. However, testing has shown that it can return just METHOD_CRYPT, the weakest of the bunch. And passing None as args to these module functions will default to the highest available hash from crypt.methods. So this also can be weak by default, but no reliable for Bandit to detect. https://docs.python.org/3.11/library/crypt.html#module-crypt Fixes #1017 Signed-off-by: Eric Brown <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The crypt module of base Python is already deprecated as of 3.11, but it is still functional
usable to create weak hashes.
https://docs.python.org/3.11/library/crypt.html#module-crypt
Reproduction steps
For example, someone may still utilize this module to generate MD5 hashes like so. crypt.crypt("sadfasdfasdfsdaf", salt=crypt.METHOD_MD5)The text was updated successfully, but these errors were encountered: