django-oidc-provider icon indicating copy to clipboard operation
django-oidc-provider copied to clipboard

Published 20 hours ago verified publisher icon juanifioren

[Bandit] security report

Open bpereto opened this issue 5 years ago • 1 comments

Bandit security report https://github.com/PyCQA/bandit

Proposal:

  • [ ] Replace pycryptodome with pyca/cryptography (see #207 #208 )

    • Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.

  • [ ] Update RSA Keysize (see https://github.com/juanifioren/django-oidc-provider/pull/208/files#r137349904)

    • Issue: [B505:weak_cryptographic_key] RSA key sizes below 2048 bits are considered breakable. Severity: Medium Confidence: High

  • [ ] Use secure and standard hash algo

    • Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. Severity: Medium Confidence: High

    • Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.

bandit -r oidc_provider -x oidc_provider/tests
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.6.6
Run started:2018-10-14 10:00:19.746285

Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   Location: oidc_provider/admin.py:30
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
29	        else:
30	            return str(randint(1, 999999)).zfill(6)
31	

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
   Severity: Low   Confidence: Medium
   Location: oidc_provider/admin.py:35
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
34	
35	        secret = ''
36	
37	        if instance and instance.pk:

--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
   Severity: Medium   Confidence: High
   Location: oidc_provider/lib/endpoints/authorize.py:201
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
200	                # Create random salt.
201	                salt = md5(uuid4().hex.encode()).hexdigest()
202	

--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
   Severity: High   Confidence: High
   Location: oidc_provider/lib/utils/token.py:5
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
4	
5	from Cryptodome.PublicKey.RSA import importKey
6	from django.utils import dateformat, timezone

--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
   Severity: High   Confidence: High
   Location: oidc_provider/management/commands/creatersakey.py:1
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
1	from Cryptodome.PublicKey import RSA
2	from django.core.management.base import BaseCommand
3	

--------------------------------------------------
>> Issue: [B505:weak_cryptographic_key] RSA key sizes below 2048 bits are considered breakable. 
   Severity: Medium   Confidence: High
   Location: oidc_provider/management/commands/creatersakey.py:12
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b505_weak_cryptographic_key.html
11	        try:
12	            key = RSA.generate(1024)
13	            rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))

--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
   Severity: Medium   Confidence: High
   Location: oidc_provider/models.py:237
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
236	    def kid(self):
237	        return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')

--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   Location: oidc_provider/settings.py:98
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
97	            self._unauthenticated_session_management_key = ''.join(
98	                random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
99	        return self._unauthenticated_session_management_key

--------------------------------------------------
>> Issue: [B414:blacklist] The pycryptodome library is not considered a secure alternative to pycrypto.Consider using pyca/cryptography library.
   Severity: High   Confidence: High
   Location: oidc_provider/views.py:12
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome
11	
12	from Cryptodome.PublicKey import RSA
13	from django.contrib.auth.views import (

--------------------------------------------------

Code scanned:
	Total lines of code: 2752
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 3.0
		Medium: 3.0
		High: 3.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 1.0
		High: 8.0
Files skipped (0):

bpereto avatar Oct 14 '18 10:10 bpereto

I know this is old, but looks like cryptodome is no longer on the blacklist:

django-oidc-provider$ bandit -r oidc_provider/ -x oidc_provider/tests/
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.5
53 [0.. 50.. ]
Run started:2020-07-29 16:01:22.683000

Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   Location: oidc_provider/admin.py:30
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
29	        else:
30	            return str(randint(1, 999999)).zfill(6)
31	

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
   Severity: Low   Confidence: Medium
   Location: oidc_provider/admin.py:35
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
34	
35	        secret = ''
36	
37	        if instance and instance.pk:

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'bearer'
   Severity: Low   Confidence: Medium
   Location: oidc_provider/lib/endpoints/authorize.py:190
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
189	
190	                query_fragment['token_type'] = 'bearer'
191	

--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
   Severity: Medium   Confidence: High
   Location: oidc_provider/lib/endpoints/authorize.py:203
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
202	                # Create random salt.
203	                salt = md5(uuid4().hex.encode()).hexdigest()
204	

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
   Severity: Low   Confidence: Medium
   Location: oidc_provider/lib/utils/oauth2.py:48
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
47	        except Exception:
48	            client_id = client_secret = ''
49	    else:

--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
   Severity: Medium   Confidence: High
   Location: oidc_provider/models.py:267
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
266	    def kid(self):
267	        return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')

--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   Location: oidc_provider/settings.py:98
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
97	            self._unauthenticated_session_management_key = ''.join(
98	                random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
99	        return self._unauthenticated_session_management_key

--------------------------------------------------

Code scanned:
	Total lines of code: 2823
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 5.0
		Medium: 2.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 3.0
		High: 4.0
Files skipped (0):

geoff-va avatar Jul 29 '20 16:07 geoff-va