1+ id : hashids-with-django-secret-python
2+ language : python
3+ severity : warning
4+ message : >-
5+ The Django secret key is used as salt in HashIDs. The HashID mechanism
6+ is not secure. By observing sufficient HashIDs, the salt used to construct
7+ them can be recovered. This means the Django secret key can be obtained by
8+ attackers, through the HashIDs.
9+ note : >-
10+ [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
11+ [OWASP A02:2021]: Cryptographic Failures
12+ [REFERENCES]
13+ https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY
14+ http://carnage.github.io/2015/08/cryptanalysis-of-hashids
15+ ast-grep-essentials : true
16+ utils :
17+ Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) :
18+ kind : call
19+ all :
20+ - has :
21+ kind : identifier
22+ nthChild : 1
23+ regex : ^Hashids$
24+ - has :
25+ kind : argument_list
26+ nthChild : 2
27+ has :
28+ kind : keyword_argument
29+ all :
30+ - has :
31+ kind : identifier
32+ regex : ^salt$
33+ - has :
34+ kind : attribute
35+ all :
36+ - has :
37+ kind : identifier
38+ regex : ^settings$
39+ nthChild : 1
40+ - has :
41+ kind : identifier
42+ nthChild : 2
43+ regex : ^SECRET_KEY$
44+ - all :
45+ - any :
46+ - inside :
47+ stopBy : end
48+ follows :
49+ stopBy : end
50+ kind : import_from_statement
51+ pattern : from django.conf import settings
52+ - follows :
53+ stopBy : end
54+ kind : import_from_statement
55+ pattern : from django.conf import settings
56+ - any :
57+ - inside :
58+ stopBy : end
59+ follows :
60+ stopBy : end
61+ kind : import_from_statement
62+ pattern : from hashids import Hashids
63+ - follows :
64+ stopBy : end
65+ kind : import_from_statement
66+ pattern : from hashids import Hashids
67+
68+ Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) :
69+ kind : call
70+ all :
71+ - has :
72+ kind : identifier
73+ nthChild : 1
74+ regex : ^Hashids$
75+ - has :
76+ kind : argument_list
77+ nthChild : 2
78+ has :
79+ kind : attribute
80+ all :
81+ - has :
82+ kind : identifier
83+ regex : ^settings$
84+ nthChild : 1
85+ - has :
86+ kind : identifier
87+ nthChild : 2
88+ regex : ^SECRET_KEY$
89+ - all :
90+ - any :
91+ - inside :
92+ stopBy : end
93+ follows :
94+ stopBy : end
95+ kind : import_from_statement
96+ pattern : from django.conf import settings
97+ - follows :
98+ stopBy : end
99+ kind : import_from_statement
100+ pattern : from django.conf import settings
101+ - any :
102+ - inside :
103+ stopBy : end
104+ follows :
105+ stopBy : end
106+ kind : import_from_statement
107+ pattern : from hashids import Hashids
108+ - follows :
109+ stopBy : end
110+ kind : import_from_statement
111+ pattern : from hashids import Hashids
112+
113+ hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) :
114+ kind : call
115+ all :
116+ - has :
117+ kind : attribute
118+ regex : ^hashids.Hashids$
119+ - has :
120+ kind : argument_list
121+ nthChild : 2
122+ has :
123+ kind : keyword_argument
124+ all :
125+ - has :
126+ kind : identifier
127+ regex : ^salt$
128+ - has :
129+ kind : attribute
130+ all :
131+ - has :
132+ kind : identifier
133+ regex : ^settings$
134+ nthChild : 1
135+ - has :
136+ kind : identifier
137+ nthChild : 2
138+ regex : ^SECRET_KEY$
139+ - any :
140+ - inside :
141+ stopBy : end
142+ follows :
143+ stopBy : end
144+ kind : import_from_statement
145+ pattern : from django.conf import settings
146+ - follows :
147+ stopBy : end
148+ kind : import_from_statement
149+ pattern : from django.conf import settings
150+
151+ hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) :
152+ kind : call
153+ all :
154+ - has :
155+ kind : attribute
156+ nthChild : 1
157+ regex : ^hashids.Hashids$
158+ - has :
159+ kind : argument_list
160+ nthChild : 2
161+ has :
162+ kind : attribute
163+ all :
164+ - has :
165+ kind : identifier
166+ regex : ^settings$
167+ nthChild : 1
168+ - has :
169+ kind : identifier
170+ nthChild : 2
171+ regex : ^SECRET_KEY$
172+ - all :
173+ - any :
174+ - inside :
175+ stopBy : end
176+ follows :
177+ stopBy : end
178+ kind : import_from_statement
179+ pattern : from django.conf import settings
180+ - follows :
181+ stopBy : end
182+ kind : import_from_statement
183+ pattern : from django.conf import settings
184+
185+ hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) :
186+ kind : call
187+ all :
188+ - has :
189+ kind : attribute
190+ nthChild : 1
191+ regex : ^hashids.Hashids$
192+ - has :
193+ kind : argument_list
194+ nthChild : 2
195+ has :
196+ kind : keyword_argument
197+ all :
198+ - has :
199+ kind : identifier
200+ regex : ^salt$
201+ - has :
202+ kind : attribute
203+ regex : ^django.conf.settings.SECRET_KEY$
204+
205+ hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) :
206+ kind : call
207+ all :
208+ - has :
209+ kind : attribute
210+ nthChild : 1
211+ regex : ^hashids.Hashids$
212+ - has :
213+ kind : argument_list
214+ nthChild : 2
215+ has :
216+ kind : attribute
217+ regex : ^django.conf.settings.SECRET_KEY$
218+
219+ Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) :
220+ kind : call
221+ all :
222+ - has :
223+ kind : identifier
224+ nthChild : 1
225+ regex : ^Hashids$
226+ - has :
227+ kind : argument_list
228+ nthChild : 2
229+ has :
230+ kind : attribute
231+ regex : ^django.conf.settings.SECRET_KEY$
232+ - any :
233+ - inside :
234+ stopBy : end
235+ follows :
236+ stopBy : end
237+ kind : import_from_statement
238+ pattern : from hashids import Hashids
239+ - follows :
240+ stopBy : end
241+ kind : import_from_statement
242+ pattern : from hashids import Hashids
243+
244+ Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) :
245+ kind : call
246+ all :
247+ - has :
248+ kind : identifier
249+ nthChild : 1
250+ regex : ^Hashids$
251+ - has :
252+ kind : argument_list
253+ nthChild : 2
254+ has :
255+ kind : keyword_argument
256+ all :
257+ - has :
258+ kind : identifier
259+ regex : ^salt$
260+ - has :
261+ kind : attribute
262+ regex : ^django.conf.settings.SECRET_KEY$
263+ - any :
264+ - inside :
265+ stopBy : end
266+ follows :
267+ stopBy : end
268+ kind : import_from_statement
269+ pattern : from hashids import Hashids
270+ - follows :
271+ stopBy : end
272+ kind : import_from_statement
273+ pattern : from hashids import Hashids
274+
275+
276+ rule :
277+ any :
278+ - matches : Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
279+ - matches : Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet)
280+ - matches : hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
281+ - matches : hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet)
282+ - matches : hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
283+ - matches : hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet)
284+ - matches : Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet)
285+ - matches : Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH)
0 commit comments