-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathpython-cryptographic-failures.mdc
More file actions
193 lines (168 loc) · 8 KB
/
python-cryptographic-failures.mdc
File metadata and controls
193 lines (168 loc) · 8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
---
description: Detect and prevent cryptographic failures in Python applications as defined in OWASP Top 10:2021-A02
globs: *.py
alwaysApply: false
---
# Python Cryptographic Failures Security Standards (OWASP A02:2021)
This rule enforces security best practices to prevent cryptographic failures in Python applications, as defined in OWASP Top 10:2021-A02.
<rule>
name: python_cryptographic_failures
description: Detect and prevent cryptographic failures in Python applications as defined in OWASP Top 10:2021-A02
filters:
- type: file_extension
pattern: "\\.(py)$"
- type: file_path
pattern: ".*"
actions:
- type: enforce
conditions:
# Pattern 1: Weak or insecure cryptographic algorithms
- pattern: "import\\s+(md5|sha1)|hashlib\\.(md5|sha1)\\(|Crypto\\.Hash\\.(MD5|SHA1)|cryptography\\.hazmat\\.primitives\\.hashes\\.(MD5|SHA1)"
message: "Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms from the hashlib or cryptography packages."
# Pattern 2: Hardcoded secrets/credentials
- pattern: "(password|secret|key|token|auth)\\s*=\\s*['\"][^'\"]+['\"]"
message: "Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault."
# Pattern 3: Insecure random number generation
- pattern: "random\\.(random|randint|choice|sample)|import random"
message: "Using Python's standard random module for security purposes. Use secrets module or cryptography.hazmat.primitives.asymmetric for cryptographic operations."
# Pattern 4: Weak SSL/TLS configuration
- pattern: "ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)|SSLContext\\(\\s*ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)\\)"
message: "Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ (ssl.PROTOCOL_TLS_CLIENT with minimum version set)."
# Pattern 5: Missing certificate validation
- pattern: "verify\\s*=\\s*False|check_hostname\\s*=\\s*False|CERT_NONE"
message: "SSL certificate validation is disabled. Always validate certificates in production environments."
# Pattern 6: Insecure cipher usage
- pattern: "DES|RC4|Blowfish|ECB"
message: "Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding."
# Pattern 7: Insufficient key length
- pattern: "RSA\\([^,]+,\\s*[0-9]+\\s*\\)|key_size\\s*=\\s*([0-9]|10[0-9][0-9]|11[0-9][0-9]|12[0-4][0-9])"
message: "Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits."
# Pattern 8: Insecure password hashing
- pattern: "\\.encode\\(['\"]utf-?8['\"]\\)\\.(digest|hexdigest)\\(\\)|hashlib\\.[a-zA-Z0-9]+\\([^)]*\\)\\.(digest|hexdigest)\\(\\)"
message: "Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, Argon2, or PBKDF2."
# Pattern 9: Missing salt in password hashing
- pattern: "pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]+\\s*\\)"
message: "Ensure you're using a proper random salt with password hashing functions."
# Pattern 10: Insecure cookie settings
- pattern: "set_cookie\\([^)]*secure\\s*=\\s*False|set_cookie\\([^)]*httponly\\s*=\\s*False"
message: "Cookies with sensitive data should have secure and httponly flags enabled."
- type: suggest
message: |
**Python Cryptography Best Practices:**
1. **Secure Password Storage:**
- Use dedicated password hashing algorithms:
```python
import bcrypt
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
```
- Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
```python
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
```
2. **Secure Random Number Generation:**
- Use the `secrets` module for cryptographic operations:
```python
import secrets
token = secrets.token_hex(32) # 256 bits of randomness
```
- For cryptographic keys, use proper key generation functions:
```python
from cryptography.hazmat.primitives.asymmetric import rsa
private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
```
3. **Secure Communications:**
- Use TLS 1.2+ for all communications:
```python
import ssl
context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2
```
- Always validate certificates:
```python
import requests
response = requests.get('https://example.com', verify=True)
```
4. **Proper Key Management:**
- Never hardcode secrets in source code
- Use environment variables or secure vaults:
```python
import os
api_key = os.environ.get('API_KEY')
```
- Consider using dedicated key management services
5. **Secure Encryption:**
- Use high-level libraries like `cryptography`:
```python
from cryptography.fernet import Fernet
key = Fernet.generate_key()
f = Fernet(key)
encrypted = f.encrypt(data)
```
- For lower-level needs, use authenticated encryption (AES-GCM):
```python
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12)
encrypted = aesgcm.encrypt(nonce, data, associated_data)
```
6. **Secure Cookie Handling:**
- Set secure and httponly flags:
```python
# Flask example
response.set_cookie('session', session_id, httponly=True, secure=True, samesite='Lax')
```
- Use signed cookies or tokens:
```python
# Django example - uses signed cookies by default
request.session['user_id'] = user.id
```
7. **Input Validation:**
- Validate all cryptographic inputs
- Use constant-time comparison for secrets:
```python
import hmac
def constant_time_compare(a, b):
return hmac.compare_digest(a, b)
```
- type: validate
conditions:
# Check 1: Proper password hashing
- pattern: "bcrypt\\.hashpw|argon2|PasswordHasher|pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]{4,}\\s*\\)"
message: "Using secure password hashing algorithm."
# Check 2: Secure random generation
- pattern: "secrets\\.|urandom|cryptography\\.hazmat\\.primitives\\.asymmetric"
message: "Using cryptographically secure random number generation."
# Check 3: Strong TLS configuration
- pattern: "ssl\\.PROTOCOL_TLS|minimum_version\\s*=\\s*ssl\\.TLSVersion\\.TLSv1_2|create_default_context"
message: "Using secure TLS configuration."
# Check 4: Proper certificate validation
- pattern: "verify\\s*=\\s*True|check_hostname\\s*=\\s*True|CERT_REQUIRED"
message: "Properly validating SSL certificates."
metadata:
priority: high
version: 1.0
tags:
- security
- python
- cryptography
- encryption
- owasp
- language:python
- framework:django
- framework:flask
- framework:fastapi
- category:security
- subcategory:cryptography
- standard:owasp-top10
- risk:a02-cryptographic-failures
references:
- "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
- "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
- "https://docs.python.org/3/library/secrets.html"
- "https://cryptography.io/en/latest/"
- "https://pypi.org/project/bcrypt/"
- "https://pypi.org/project/argon2-cffi/"
</rule>