Add sha1 to the list of insecure hashes

The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes #560 Signed-off-by: Eric Brown <browne@vmware.com>
PyCQA · Jan 9, 2020 · 985749a · 985749a
1 parent d5f8fa0
commit 985749a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 11 deletions.
diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py
@@ -3,15 +3,15 @@
 # SPDX-License-Identifier: Apache-2.0
 
 r"""
-==========================================================================
-B324: Test for use of insecure md4 and md5 hash functions in hashlib.new()
-==========================================================================
+============================================================================
+B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib.new()
+============================================================================
 
-This plugin checks for the usage of the insecure MD4 and MD5 hash functions
-in ``hashlib.new`` function. The ``hashlib.new`` function provides the ability
-to construct a new hashing object using the named algorithm. This can be used
-to create insecure hash functions like MD4 and MD5 if they are passed as
-algorithm names to this function.
+This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash
+functions in ``hashlib.new`` function. The ``hashlib.new`` function provides
+the ability to construct a new hashing object using the named algorithm. This
+can be used to create insecure hash functions like MD4 and MD5 if they are
+passed as algorithm names to this function.
 
 This is similar to B303 blacklist check, except that this checks for insecure
 hash functions created using ``hashlib.new`` function.
@@ -44,7 +44,8 @@ def hashlib_new(context):
             args = context.call_args
             keywords = context.call_keywords
             name = args[0] if args else keywords['name']
-            if isinstance(name, str) and name.lower() in ('md4', 'md5'):
+            if (isinstance(name, str) and
+                    name.lower() in ('md4', 'md5', 'sha', 'sha1')):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
                     confidence=bandit.HIGH,

diff --git a/examples/hashlib_new_insecure_functions.py b/examples/hashlib_new_insecure_functions.py
@@ -10,6 +10,14 @@
 
 hashlib.new(string='test', name='MD5')
 
+hashlib.new('sha1')
+
+hashlib.new(string='test', name='SHA1')
+
+hashlib.new('sha', string='test')
+
+hashlib.new(name='SHA', string='test')
+
 # Test that plugin does not flag valid hash functions.
 hashlib.new('sha256')
 

diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -772,8 +772,8 @@ def test_unverified_context(self):
     def test_hashlib_new_insecure_functions(self):
         '''Test insecure hash functions created by `hashlib.new`.'''
         expect = {
-            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 5, 'HIGH': 0},
-            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 9, 'HIGH': 0},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 9}
         }
         self.check_example('hashlib_new_insecure_functions.py', expect)