Skip to content

Commit

Permalink
Use a constant for weak hashes (PyCQA#850)
Browse files Browse the repository at this point in the history
Small change to have a variable that has the set of weak hashes.

Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb authored Mar 6, 2022
1 parent 808bac2 commit a65c5b6
Showing 1 changed file with 6 additions and 13 deletions.
19 changes: 6 additions & 13 deletions bandit/plugins/hashlib_insecure_functions.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@
from bandit.core import test_properties as test


WEAK_HASHES = ("md4", "md5", "sha", "sha1")


def _hashlib_func(context):
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split(".")
Expand All @@ -54,7 +57,7 @@ def _hashlib_func(context):
func = qualname_list[-1]
keywords = context.call_keywords

if func in ("md4", "md5", "sha", "sha1"):
if func in WEAK_HASHES:
if keywords.get("usedforsecurity", "True") == "True":
return bandit.Issue(
severity=bandit.HIGH,
Expand All @@ -67,12 +70,7 @@ def _hashlib_func(context):
elif func == "new":
args = context.call_args
name = args[0] if args else keywords.get("name", None)
if isinstance(name, str) and name.lower() in (
"md4",
"md5",
"sha",
"sha1",
):
if isinstance(name, str) and name.lower() in WEAK_HASHES:
if keywords.get("usedforsecurity", "True") == "True":
return bandit.Issue(
severity=bandit.HIGH,
Expand All @@ -93,12 +91,7 @@ def _hashlib_new(context):
args = context.call_args
keywords = context.call_keywords
name = args[0] if args else keywords.get("name", None)
if isinstance(name, str) and name.lower() in (
"md4",
"md5",
"sha",
"sha1",
):
if isinstance(name, str) and name.lower() in WEAK_HASHES:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
Expand Down

0 comments on commit a65c5b6

Please sign in to comment.