From dbe1b098e7528d8c1bed78f55e53d3118c671232 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 14 Nov 2023 19:12:37 -0800 Subject: [PATCH] Add further tests of cryptography Signed-off-by: Eric Brown --- .../cryptography/cryptography_weak_hash.py | 2 +- .../cryptography/examples/algorithms_arc4.py | 5 ++ .../examples/algorithms_blowfish.py | 5 ++ .../cryptography/examples/algorithms_idea.py | 5 ++ .../cryptography/examples/hashes_md5.py | 6 ++- .../cryptography/examples/hashes_sha1.py | 5 ++ .../cryptography/examples/modes_ecb.py | 18 ++++++++ .../test_cryptography_weak_cipher.py | 39 ++++++++++++++++ .../test_cryptography_weak_cipher_mode.py | 45 ++++++++++++++++++ .../test_cryptography_weak_hash.py | 46 +++++++++++++++++++ 10 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py create mode 100644 tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py create mode 100644 tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py create mode 100644 tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py diff --git a/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py b/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py index 2197123e..7d6817bb 100644 --- a/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py +++ b/precli/rules/python/third_party/cryptography/cryptography_weak_hash.py @@ -97,7 +97,7 @@ def analyze(self, context: dict, **kwargs: dict) -> Result: rule_id=self.id, location=Location( file_name=context["file_name"], - node=call.function_node, + node=call.identifier_node, ), level=Level.ERROR, message=self.message.format(call.name_qualified), diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py index 87c37460..a89a9188 100644 --- a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py +++ b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_arc4.py @@ -1,3 +1,8 @@ +# level: ERROR +# start_line: 9 +# end_line: 9 +# start_column: 38 +# end_column: 41 import os from cryptography.hazmat.primitives.ciphers import algorithms diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py index ef94deb5..e6f15f4e 100644 --- a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py +++ b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_blowfish.py @@ -1,3 +1,8 @@ +# level: ERROR +# start_line: 9 +# end_line: 9 +# start_column: 38 +# end_column: 41 import os from cryptography.hazmat.primitives.ciphers import algorithms diff --git a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py index 8be6655d..64cf2b1f 100644 --- a/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py +++ b/tests/unit/rules/python/third_party/cryptography/examples/algorithms_idea.py @@ -1,3 +1,8 @@ +# level: ERROR +# start_line: 9 +# end_line: 9 +# start_column: 38 +# end_column: 41 import os from cryptography.hazmat.primitives.ciphers import algorithms diff --git a/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py b/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py index 5ed988b8..029c892d 100644 --- a/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py +++ b/tests/unit/rules/python/third_party/cryptography/examples/hashes_md5.py @@ -1,4 +1,8 @@ -# from cryptography.hazmat.primitives import hashes +# level: ERROR +# start_line: 9 +# end_line: 9 +# start_column: 38 +# end_column: 41 import cryptography diff --git a/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py b/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py index 0b26c50d..35c28589 100644 --- a/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py +++ b/tests/unit/rules/python/third_party/cryptography/examples/hashes_sha1.py @@ -1,3 +1,8 @@ +# level: ERROR +# start_line: 9 +# end_line: 9 +# start_column: 7 +# end_column: 11 from cryptography.hazmat.primitives import hashes diff --git a/tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py b/tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py new file mode 100644 index 00000000..d055dbcc --- /dev/null +++ b/tests/unit/rules/python/third_party/cryptography/examples/modes_ecb.py @@ -0,0 +1,18 @@ +# level: ERROR +# start_line: 15 +# end_line: 15 +# start_column: 13 +# end_column: 16 +import os + +from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.ciphers import modes + + +key = os.urandom(32) +algorithm = algorithms.AES(key) +mode = modes.ECB() +cipher = Cipher(algorithm, mode=mode) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + encryptor.finalize() diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py new file mode 100644 index 00000000..d0648859 --- /dev/null +++ b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher.py @@ -0,0 +1,39 @@ +# Copyright 2023 Secure Saurce LLC +import os + +from parameterized import parameterized + +from precli.core.level import Level +from precli.parsers import python +from precli.rules import Rule +from tests.unit.rules.python import test_case + + +class CryptographyWeakCipherTests(test_case.TestCase): + def setUp(self): + super().setUp() + self.rule_id = "PRE0501" + self.parser = python.Python(enabled=[self.rule_id]) + self.base_path = os.path.join( + "tests", + "unit", + "rules", + "python", + "third_party", + "cryptography", + "examples", + ) + + def test_cryptography_weak_cipher_rule_meta(self): + rule = Rule.get_by_id(self.rule_id) + self.assertEqual(self.rule_id, rule.id) + self.assertEqual( + "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name + ) + self.assertEqual( + f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url + ) + self.assertEqual(True, rule.default_config.enabled) + self.assertEqual(Level.WARNING, rule.default_config.level) + self.assertEqual(-1.0, rule.default_config.rank) + self.assertEqual("327", rule.cwe.cwe_id) diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py new file mode 100644 index 00000000..bc693a88 --- /dev/null +++ b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_cipher_mode.py @@ -0,0 +1,45 @@ +# Copyright 2023 Secure Saurce LLC +import os + +from parameterized import parameterized + +from precli.core.level import Level +from precli.parsers import python +from precli.rules import Rule +from tests.unit.rules.python import test_case + + +class CryptographyWeakCipherModeTests(test_case.TestCase): + def setUp(self): + super().setUp() + self.rule_id = "PRE0502" + self.parser = python.Python(enabled=[self.rule_id]) + self.base_path = os.path.join( + "tests", + "unit", + "rules", + "python", + "third_party", + "cryptography", + "examples", + ) + + def test_cryptography_weak_cipher_mode_rule_meta(self): + rule = Rule.get_by_id(self.rule_id) + self.assertEqual(self.rule_id, rule.id) + self.assertEqual("use_of_risky_cryptographic_cipher_mode", rule.name) + self.assertEqual( + f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url + ) + self.assertEqual(True, rule.default_config.enabled) + self.assertEqual(Level.WARNING, rule.default_config.level) + self.assertEqual(-1.0, rule.default_config.rank) + self.assertEqual("327", rule.cwe.cwe_id) + + @parameterized.expand( + [ + "modes_ecb", + ] + ) + def test(self, filename): + self.check(filename) diff --git a/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py new file mode 100644 index 00000000..85029fa0 --- /dev/null +++ b/tests/unit/rules/python/third_party/cryptography/test_cryptography_weak_hash.py @@ -0,0 +1,46 @@ +# Copyright 2023 Secure Saurce LLC +import os + +from parameterized import parameterized + +from precli.core.level import Level +from precli.parsers import python +from precli.rules import Rule +from tests.unit.rules.python import test_case + + +class CryptographyWeakHashTests(test_case.TestCase): + def setUp(self): + super().setUp() + self.rule_id = "PRE0503" + self.parser = python.Python(enabled=[self.rule_id]) + self.base_path = os.path.join( + "tests", + "unit", + "rules", + "python", + "third_party", + "cryptography", + "examples", + ) + + def test_cryptography_weak_hash_rule_meta(self): + rule = Rule.get_by_id(self.rule_id) + self.assertEqual(self.rule_id, rule.id) + self.assertEqual("reversible_one_way_hash", rule.name) + self.assertEqual( + f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url + ) + self.assertEqual(True, rule.default_config.enabled) + self.assertEqual(Level.WARNING, rule.default_config.level) + self.assertEqual(-1.0, rule.default_config.rank) + self.assertEqual("328", rule.cwe.cwe_id) + + @parameterized.expand( + [ + "hashes_md5", + "hashes_sha1", + ] + ) + def test(self, filename): + self.check(filename)