hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-30 07:36:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cd5e681dd28e37fc80918672d7af7a5dae65701
codeql/python/ql/src/Security/CWE-327
History
Rasmus Wriedt Larsen 605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing 
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
2021-08-25 10:19:22 +02:00
..
examples
Python: Add py/weak-sensitive-data-hashing query
2021-04-22 15:23:41 +02:00
BrokenCryptoAlgorithm.qhelp
Python: Fix BrokenCryptoAlgorithm.qhelp
2021-04-22 15:58:28 +02:00
BrokenCryptoAlgorithm.ql
Update security-severity scores
2021-06-15 13:25:17 +01:00
FluentApiModel.qll
Python: Add imports to make code compile
2021-04-13 11:09:27 +02:00
InsecureDefaultProtocol.qhelp
Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
2021-03-09 16:44:08 +01:00
InsecureDefaultProtocol.ql
Update security-severity scores
2021-06-15 13:25:17 +01:00
InsecureProtocol.qhelp
Python: remove deprecated section of qhelp file
2021-03-26 23:26:24 +01:00
InsecureProtocol.ql
Python: Autoformat
2021-06-18 18:30:27 +00:00
PyOpenSSL.qll
Python: asCfgNode cleanup
2021-06-18 17:22:42 +00:00
README.md
Apply suggestions from code review
2021-04-12 08:16:36 +02:00
Ssl.qll
Merge pull request #6111 from tausbn/python-a-few-minor-cleanups
2021-06-23 10:42:41 +02:00
TlsLibraryModel.qll
Python: Fix bad join
2021-04-20 18:54:03 +02:00
WeakSensitiveDataHashing.qhelp
Python: Apply suggestions from code review
2021-05-18 11:53:11 +02:00
WeakSensitiveDataHashing.ql
Python: Add CWE-328 to py/weak-sensitive-data-hashing
2021-08-25 10:19:22 +02:00

README.md

Current status (Feb 2021)

This should be kept up to date; the world is moving fast and protocols are being broken.

Protocols

  • All versions of SSL are insecure
  • TLS 1.0 and TLS 1.1 are insecure
  • TLS 1.2 have some issues. but TLS 1.3 is not widely supported

Conection methods

  • ssl.wrap_socket is creating insecure connections, use SSLContext.wrap_socket instead. link

    Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.

  • Default constructors are fine, a fluent API is used to constrain possible protocols later.

Current recomendation

TLS 1.2 or TLS 1.3

Queries

  • InsecureProtocol detects uses of insecure protocols.
  • InsecureDefaultProtocol detect default constructions, this is no longer unsafe.