This repository has been archived by the owner on Oct 6, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #36, lint for insecure itsdangerous kwarg usage
- Loading branch information
Showing
7 changed files
with
250 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
#!/usr/bin/env python | ||
|
||
from __future__ import ( | ||
absolute_import, | ||
division, | ||
print_function, | ||
unicode_literals, | ||
) | ||
|
||
import functools | ||
|
||
from .helpers import bad_kwarg_use | ||
|
||
from .. import tree | ||
|
||
|
||
class BadItsDangerousKwargUseLinter(bad_kwarg_use.BadKwargUseLinter): | ||
"""This linter looks for unsafe use of itsdangerous keyword arguments. These | ||
keyword arguments may indicate insecure signing is being performed. | ||
""" | ||
off_by_default = False | ||
|
||
_code = 'DUO137' | ||
_error_tmpl = 'DUO137 insecure "itsdangerous" use allowing empty signing' | ||
|
||
@property | ||
def kwargs(self): | ||
def none_algorithm_predicate(call, kwarg_name): | ||
return tree.kwarg_any([ | ||
functools.partial( | ||
tree.kwarg_module_path_call, | ||
call, | ||
kwarg_name, | ||
"itsdangerous.signer.NoneAlgorithm", | ||
self.namespace | ||
), | ||
functools.partial( | ||
tree.kwarg_module_path_call, | ||
call, | ||
kwarg_name, | ||
"itsdangerous.NoneAlgorithm", | ||
self.namespace | ||
), | ||
]) | ||
|
||
def none_string_predicate(call, kwarg_name): | ||
return functools.partial( | ||
tree.kwarg_str, | ||
call, | ||
kwarg_name, | ||
"none" | ||
), | ||
|
||
return [ | ||
{ | ||
"module_path": "itsdangerous.signer.Signer", | ||
"kwarg_name": "algorithm", | ||
"predicate": none_algorithm_predicate, | ||
}, | ||
{ | ||
"module_path": "itsdangerous.Signer", | ||
"kwarg_name": "algorithm", | ||
"predicate": none_algorithm_predicate, | ||
}, | ||
{ | ||
"module_path": "itsdangerous.timed.TimestampSigner", | ||
"kwarg_name": "algorithm", | ||
"predicate": none_algorithm_predicate, | ||
}, | ||
{ | ||
"module_path": "itsdangerous.TimestampSigner", | ||
"kwarg_name": "algorithm", | ||
"predicate": none_algorithm_predicate, | ||
}, | ||
{ | ||
"module_path": "itsdangerous.jws.JSONWebSignatureSerializer", | ||
"kwarg_name": "algorithm_name", | ||
"predicate": none_string_predicate, | ||
}, | ||
{ | ||
"module_path": "itsdangerous.JSONWebSignatureSerializer", | ||
"kwarg_name": "algorithm_name", | ||
"predicate": none_string_predicate, | ||
}, | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# DUO137 | ||
|
||
This linter searches for insecure keyword argument use in the `itsdangerous` | ||
library. Specifically, it looks for signing operations using the none algorithm | ||
which results in empty signatures. | ||
|
||
## Problematic code | ||
|
||
```python | ||
>>> import itsdangerous | ||
>>> s1 = itsdangerous.signer.Signer("key1", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
>>> s2 = itsdangerous.signer.Signer("key2", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
>>> signature = s1.sign("foo") | ||
>>> s2.unsign(signature) | ||
foo | ||
``` | ||
|
||
The following usages of the none algorithm are insecure: | ||
|
||
```python | ||
itsdangerous.signer.Signer("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.signer.Signer("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.Signer("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.Signer("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
|
||
itsdangerous.timed.TimestampSigner("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.timed.TimestampSigner("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.TimestampSigner("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.TimestampSigner("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
|
||
itsdangerous.jws.JSONWebSignatureSerializer("key", algorithm_name="none") | ||
itsdangerous.JSONWebSignatureSerializer("key", algorithm_name="none") | ||
``` | ||
|
||
## Correct code | ||
|
||
Simply not specifying `algorithm|algorithm_name` will default to secure | ||
behavior. Further, setting `HMACAlgorithm` will ensure verification is | ||
performed. | ||
|
||
## Rationale | ||
|
||
Setting the algorithm to none turns off signature verification. This breaks | ||
HMAC security. For more information see | ||
[Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). | ||
|
||
## Exceptions | ||
|
||
None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
#!/usr/bin/env python | ||
|
||
from __future__ import ( | ||
absolute_import, | ||
division, | ||
print_function, | ||
unicode_literals, | ||
) | ||
|
||
import unittest | ||
|
||
import dlint | ||
|
||
|
||
class TestBadItsDangerousKwargUse(dlint.test.base.BaseTest): | ||
|
||
def test_bad_itsdangerous_kwarg_usage(self): | ||
python_node = self.get_ast_node( | ||
""" | ||
import itsdangerous | ||
itsdangerous.signer.Signer("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.signer.Signer("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.Signer("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.Signer("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.timed.TimestampSigner("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.timed.TimestampSigner("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.TimestampSigner("key", algorithm=itsdangerous.NoneAlgorithm()) | ||
itsdangerous.TimestampSigner("key", algorithm=itsdangerous.signer.NoneAlgorithm()) | ||
itsdangerous.jws.JSONWebSignatureSerializer("key", algorithm_name="none") | ||
itsdangerous.JSONWebSignatureSerializer("key", algorithm_name="none") | ||
""" | ||
) | ||
|
||
linter = dlint.linters.BadItsDangerousKwargUseLinter() | ||
linter.visit(python_node) | ||
|
||
result = linter.get_results() | ||
expected = [ | ||
dlint.linters.base.Flake8Result( | ||
lineno=4, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=5, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=6, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=7, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=9, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=10, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=11, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=12, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=14, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
dlint.linters.base.Flake8Result( | ||
lineno=15, | ||
col_offset=0, | ||
message=dlint.linters.BadItsDangerousKwargUseLinter._error_tmpl | ||
), | ||
] | ||
|
||
assert result == expected | ||
|
||
|
||
if __name__ == "__main__": | ||
unittest.main() |