Skip to content

Commit 5536878

Browse files
ESS-ENNESS-ENN
committed
hashids-with-django-secret-python
1 parent 7ae95c5 commit 5536878

File tree

3 files changed

+38
-0
lines changed

3 files changed

+38
-0
lines changed

rules/python/security/hashids-with-django-secret-python.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
id: hashids-with-django-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The Django secret key is used as salt in HashIDs. The HashID mechanism
6+
is not secure. By observing sufficient HashIDs, the salt used to construct
7+
them can be recovered. This means the Django secret key can be obtained by
8+
attackers, through the HashIDs.
9+
note: >-
10+
[CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
11+
[OWASP A02:2021]: Cryptographic Failures
12+
[REFERENCES]
13+
https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY
14+
http://carnage.github.io/2015/08/cryptanalysis-of-hashids
15+
rule:
16+
any:
17+
- pattern: Hashids(salt=settings.SECRET_KEY, $$$)
18+
- pattern: Hashids(settings.SECRET_KEY, $$$)

tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
id: hashids-with-django-secret-python
2+
snapshots:
3+
? |
4+
Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
5+
Hashids(salt=settings.SECRET_KEY, min_length=4, alphabet="abcdefghijklmnopqrstuvwxyz")
6+
Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet)
7+
: labels:
8+
- source: Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
9+
style: primary
10+
start: 0
11+
end: 73

tests/python/hashids-with-django-secret-python-test.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: hashids-with-django-secret-python
2+
valid:
3+
- |
4+
Hashids(salt=md5.hexdigest(), min_length=16)
5+
invalid:
6+
- |
7+
Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
8+
Hashids(salt=settings.SECRET_KEY, min_length=4, alphabet="abcdefghijklmnopqrstuvwxyz")
9+
Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet)

0 commit comments

Comments
 (0)