django-oidc-provider
django-oidc-provider copied to clipboard
[Bandit] security report
Bandit security report https://github.com/PyCQA/bandit
Proposal:
- [ ] Replace
pycryptodome
withpyca/cryptography
(see #207 #208 )-
Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
-
- [ ] Update RSA Keysize (see https://github.com/juanifioren/django-oidc-provider/pull/208/files#r137349904)
-
Issue: [B505:weak_cryptographic_key] RSA key sizes below 2048 bits are considered breakable. Severity: Medium Confidence: High
-
- [ ] Use secure and standard hash algo
-
Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. Severity: Medium Confidence: High
-
Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
-
bandit -r oidc_provider -x oidc_provider/tests
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.6
Run started:2018-10-14 10:00:19.746285
Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: oidc_provider/admin.py:30
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
29 else:
30 return str(randint(1, 999999)).zfill(6)
31
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
Severity: Low Confidence: Medium
Location: oidc_provider/admin.py:35
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
34
35 secret = ''
36
37 if instance and instance.pk:
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: oidc_provider/lib/endpoints/authorize.py:201
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
200 # Create random salt.
201 salt = md5(uuid4().hex.encode()).hexdigest()
202
--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: oidc_provider/lib/utils/token.py:5
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
4
5 from Cryptodome.PublicKey.RSA import importKey
6 from django.utils import dateformat, timezone
--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: oidc_provider/management/commands/creatersakey.py:1
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
1 from Cryptodome.PublicKey import RSA
2 from django.core.management.base import BaseCommand
3
--------------------------------------------------
>> Issue: [B505:weak_cryptographic_key] RSA key sizes below 2048 bits are considered breakable.
Severity: Medium Confidence: High
Location: oidc_provider/management/commands/creatersakey.py:12
More Info: https://bandit.readthedocs.io/en/latest/plugins/b505_weak_cryptographic_key.html
11 try:
12 key = RSA.generate(1024)
13 rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: oidc_provider/models.py:237
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
236 def kid(self):
237 return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: oidc_provider/settings.py:98
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
97 self._unauthenticated_session_management_key = ''.join(
98 random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
99 return self._unauthenticated_session_management_key
--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: oidc_provider/views.py:12
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
11
12 from Cryptodome.PublicKey import RSA
13 from django.contrib.auth.views import (
--------------------------------------------------
Code scanned:
Total lines of code: 2752
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 3.0
Medium: 3.0
High: 3.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 1.0
High: 8.0
Files skipped (0):
I know this is old, but looks like cryptodome is no longer on the blacklist:
django-oidc-provider$ bandit -r oidc_provider/ -x oidc_provider/tests/
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.5
53 [0.. 50.. ]
Run started:2020-07-29 16:01:22.683000
Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: oidc_provider/admin.py:30
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
29 else:
30 return str(randint(1, 999999)).zfill(6)
31
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
Severity: Low Confidence: Medium
Location: oidc_provider/admin.py:35
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
34
35 secret = ''
36
37 if instance and instance.pk:
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'bearer'
Severity: Low Confidence: Medium
Location: oidc_provider/lib/endpoints/authorize.py:190
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
189
190 query_fragment['token_type'] = 'bearer'
191
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: oidc_provider/lib/endpoints/authorize.py:203
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
202 # Create random salt.
203 salt = md5(uuid4().hex.encode()).hexdigest()
204
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
Severity: Low Confidence: Medium
Location: oidc_provider/lib/utils/oauth2.py:48
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
47 except Exception:
48 client_id = client_secret = ''
49 else:
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: oidc_provider/models.py:267
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
266 def kid(self):
267 return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: oidc_provider/settings.py:98
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
97 self._unauthenticated_session_management_key = ''.join(
98 random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
99 return self._unauthenticated_session_management_key
--------------------------------------------------
Code scanned:
Total lines of code: 2823
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 5.0
Medium: 2.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 3.0
High: 4.0
Files skipped (0):