Skip to content

Commit

Permalink
weak_cryptographic_key assumes positional arg
Browse files Browse the repository at this point in the history
The weak_cryptographic_key assumes a positional arg when it doesn't
find a value for the keyword arg. The issue is that sometimes the
keyword arg is a ast.Call or other undeterminate values. And as
a result throws a Traceback.

This change will make the plugin a little more robust so it doesn't
throw the Traceback. It won't be able determine the value of the
curve in this case, but can ignore it.

Fixes #545

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
  • Loading branch information
ericwb committed Jul 11, 2022
1 parent a51b855 commit 30ae1ca
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
3 changes: 2 additions & 1 deletion bandit/plugins/weak_cryptographic_key.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,8 @@ def _weak_crypto_key_size_cryptography_io(context, config):
}
curve = (
context.get_call_arg_value("curve")
or context.call_args[arg_position[key_type]]
or (len(context.call_args) > arg_position[key_type]
and context.call_args[arg_position[key_type]])
)
key_size = curve_key_sizes[curve] if curve in curve_key_sizes else 224
return _classify_key_size(config, key_type, key_size)
Expand Down
6 changes: 6 additions & 0 deletions examples/weak_cryptographic_key_sizes.py
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,9 @@
rsa.generate_private_key(public_exponent=65537,
key_size=some_key_size,
backend=backends.default_backend())

# Can't reliably know which curve was passed, in some cases like below
ec.generate_private_key(
curve=curves[self.curve]['create'](self.size),
backend=backends.default_backend()
)

0 comments on commit 30ae1ca

Please sign in to comment.