Add further tests of cryptography (#177)

Signed-off-by: Eric Brown <eric.brown@securesauce.dev>
securesauce · Nov 15, 2023 · d2425b0 · d2425b0
1 parent 260e4e4
commit d2425b0
Show file tree

Hide file tree

Showing 10 changed files with 174 additions and 2 deletions.
diff --git a/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py b/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py
@@ -97,7 +97,7 @@ def analyze(self, context: dict, **kwargs: dict) -> Result:
                 rule_id=self.id,
                 location=Location(
                     file_name=context["file_name"],
-                    node=call.function_node,
+                    node=call.identifier_node,
                 ),
                 level=Level.ERROR,
                 message=self.message.format(call.name_qualified),

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py
@@ -1,3 +1,8 @@
+# level: ERROR
+# start_line: 9
+# end_line: 9
+# start_column: 38
+# end_column: 41
 import os
 
 from cryptography.hazmat.primitives.ciphers import algorithms

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py
@@ -1,3 +1,8 @@
+# level: ERROR
+# start_line: 9
+# end_line: 9
+# start_column: 38
+# end_column: 41
 import os
 
 from cryptography.hazmat.primitives.ciphers import algorithms

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py
@@ -1,3 +1,8 @@
+# level: ERROR
+# start_line: 9
+# end_line: 9
+# start_column: 38
+# end_column: 41
 import os
 
 from cryptography.hazmat.primitives.ciphers import algorithms

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py b/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py
@@ -1,4 +1,8 @@
-# from cryptography.hazmat.primitives import hashes
+# level: ERROR
+# start_line: 9
+# end_line: 9
+# start_column: 38
+# end_column: 41
 import cryptography
 
 

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py b/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py
@@ -1,3 +1,8 @@
+# level: ERROR
+# start_line: 9
+# end_line: 9
+# start_column: 7
+# end_column: 11
 from cryptography.hazmat.primitives import hashes
 
 

diff --git a/tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py b/tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py
@@ -0,0 +1,18 @@
+# level: ERROR
+# start_line: 15
+# end_line: 15
+# start_column: 13
+# end_column: 16
+import os
+
+from cryptography.hazmat.primitives.ciphers import algorithms
+from cryptography.hazmat.primitives.ciphers import Cipher
+from cryptography.hazmat.primitives.ciphers import modes
+
+
+key = os.urandom(32)
+algorithm = algorithms.AES(key)
+mode = modes.ECB()
+cipher = Cipher(algorithm, mode=mode)
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message") + encryptor.finalize()
diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py
@@ -0,0 +1,39 @@
+# Copyright 2023 Secure Saurce LLC
+import os
+
+from parameterized import parameterized
+
+from precli.core.level import Level
+from precli.parsers import python
+from precli.rules import Rule
+from tests.unit.rules.python import test_case
+
+
+class CryptographyWeakCipherTests(test_case.TestCase):
+    def setUp(self):
+        super().setUp()
+        self.rule_id = "PRE0501"
+        self.parser = python.Python(enabled=[self.rule_id])
+        self.base_path = os.path.join(
+            "tests",
+            "unit",
+            "rules",
+            "python",
+            "third_party",
+            "cryptography",
+            "examples",
+        )
+
+    def test_cryptography_weak_cipher_rule_meta(self):
+        rule = Rule.get_by_id(self.rule_id)
+        self.assertEqual(self.rule_id, rule.id)
+        self.assertEqual(
+            "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name
+        )
+        self.assertEqual(
+            f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url
+        )
+        self.assertEqual(True, rule.default_config.enabled)
+        self.assertEqual(Level.WARNING, rule.default_config.level)
+        self.assertEqual(-1.0, rule.default_config.rank)
+        self.assertEqual("327", rule.cwe.cwe_id)
diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py
@@ -0,0 +1,45 @@
+# Copyright 2023 Secure Saurce LLC
+import os
+
+from parameterized import parameterized
+
+from precli.core.level import Level
+from precli.parsers import python
+from precli.rules import Rule
+from tests.unit.rules.python import test_case
+
+
+class CryptographyWeakCipherModeTests(test_case.TestCase):
+    def setUp(self):
+        super().setUp()
+        self.rule_id = "PRE0502"
+        self.parser = python.Python(enabled=[self.rule_id])
+        self.base_path = os.path.join(
+            "tests",
+            "unit",
+            "rules",
+            "python",
+            "third_party",
+            "cryptography",
+            "examples",
+        )
+
+    def test_cryptography_weak_cipher_mode_rule_meta(self):
+        rule = Rule.get_by_id(self.rule_id)
+        self.assertEqual(self.rule_id, rule.id)
+        self.assertEqual("use_of_risky_cryptographic_cipher_mode", rule.name)
+        self.assertEqual(
+            f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url
+        )
+        self.assertEqual(True, rule.default_config.enabled)
+        self.assertEqual(Level.WARNING, rule.default_config.level)
+        self.assertEqual(-1.0, rule.default_config.rank)
+        self.assertEqual("327", rule.cwe.cwe_id)
+
+    @parameterized.expand(
+        [
+            "modes_ecb",
+        ]
+    )
+    def test(self, filename):
+        self.check(filename)
diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py
@@ -0,0 +1,46 @@
+# Copyright 2023 Secure Saurce LLC
+import os
+
+from parameterized import parameterized
+
+from precli.core.level import Level
+from precli.parsers import python
+from precli.rules import Rule
+from tests.unit.rules.python import test_case
+
+
+class CryptographyWeakHashTests(test_case.TestCase):
+    def setUp(self):
+        super().setUp()
+        self.rule_id = "PRE0503"
+        self.parser = python.Python(enabled=[self.rule_id])
+        self.base_path = os.path.join(
+            "tests",
+            "unit",
+            "rules",
+            "python",
+            "third_party",
+            "cryptography",
+            "examples",
+        )
+
+    def test_cryptography_weak_hash_rule_meta(self):
+        rule = Rule.get_by_id(self.rule_id)
+        self.assertEqual(self.rule_id, rule.id)
+        self.assertEqual("reversible_one_way_hash", rule.name)
+        self.assertEqual(
+            f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url
+        )
+        self.assertEqual(True, rule.default_config.enabled)
+        self.assertEqual(Level.WARNING, rule.default_config.level)
+        self.assertEqual(-1.0, rule.default_config.rank)
+        self.assertEqual("328", rule.cwe.cwe_id)
+
+    @parameterized.expand(
+        [
+            "hashes_md5",
+            "hashes_sha1",
+        ]
+    )
+    def test(self, filename):
+        self.check(filename)