1+ id : hashids-with-flask-secret-python
2+ severity : warning
3+ language : python
4+ message : >-
5+ The Flask secret key is used as salt in HashIDs. The HashID mechanism
6+ is not secure. By observing sufficient HashIDs, the salt used to construct
7+ them can be recovered. This means the Flask secret key can be obtained by
8+ attackers, through the HashIDs).
9+ note : >-
10+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
11+ [REFERENCES]
12+ - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
13+ - http://carnage.github.io/2015/08/cryptanalysis-of-hashids
14+ utils :
15+ hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) :
16+ # hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
17+ kind : call
18+ all :
19+ - has :
20+ stopBy : neighbor
21+ kind : attribute
22+ regex : ^hashids.Hashids$
23+ - has :
24+ stopBy : neighbor
25+ kind : argument_list
26+ has :
27+ stopBy : end
28+ kind : keyword_argument
29+ all :
30+ - has :
31+ stopBy : neighbor
32+ kind : identifier
33+ regex : ^salt$
34+ - has :
35+ stopBy : neighbor
36+ kind : subscript
37+ pattern : flask.current_app.config['SECRET_KEY']
38+ hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) :
39+ # hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
40+ kind : call
41+ all :
42+ - has :
43+ stopBy : neighbor
44+ kind : attribute
45+ regex : ^hashids.Hashids$
46+ - has :
47+ stopBy : neighbor
48+ kind : argument_list
49+ has :
50+ stopBy : neighbor
51+ kind : subscript
52+ pattern : flask.current_app.config['SECRET_KEY']
53+ hashids.Hashids($APP.config['SECRET_KEY'], ...) :
54+ # hashids.Hashids($APP.config['SECRET_KEY'], ...)
55+ kind : call
56+ all :
57+ - has :
58+ stopBy : neighbor
59+ kind : attribute
60+ regex : ^hashids.Hashids$
61+ - has :
62+ stopBy : neighbor
63+ kind : argument_list
64+ has :
65+ stopBy : neighbor
66+ kind : subscript
67+ pattern : $APP.config['SECRET_KEY']
68+ - inside :
69+ stopBy : end
70+ kind : module
71+ has :
72+ stopBy : end
73+ kind : expression_statement
74+ has :
75+ stopBy : neighbor
76+ kind : assignment
77+ pattern : $APP = flask.Flask($$$)
78+ hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) :
79+ # hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
80+ kind : call
81+ all :
82+ - has :
83+ stopBy : neighbor
84+ kind : attribute
85+ regex : ^hashids.Hashids$
86+ - has :
87+ stopBy : neighbor
88+ kind : argument_list
89+ has :
90+ stopBy : end
91+ kind : keyword_argument
92+ all :
93+ - has :
94+ stopBy : neighbor
95+ kind : identifier
96+ regex : ^salt$
97+ - has :
98+ stopBy : neighbor
99+ kind : subscript
100+ pattern : $APP.config['SECRET_KEY']
101+ - inside :
102+ stopBy : end
103+ kind : module
104+ has :
105+ stopBy : end
106+ kind : expression_statement
107+ has :
108+ stopBy : neighbor
109+ kind : assignment
110+ pattern : $APP = flask.Flask($$$)
111+ Hashids(salt=app.config['SECRET_KEY']) :
112+ # from hashids import Hashids
113+ # from flask import current_app as app
114+ # hash_id = Hashids(salt=app.config['SECRET_KEY'])
115+ kind : call
116+ all :
117+ - has :
118+ stopBy : neighbor
119+ kind : identifier
120+ regex : ^Hashids$
121+ - has :
122+ stopBy : neighbor
123+ kind : argument_list
124+ has :
125+ stopBy : end
126+ kind : keyword_argument
127+ all :
128+ - has :
129+ stopBy : neighbor
130+ kind : identifier
131+ regex : ^salt$
132+ - has :
133+ stopBy : neighbor
134+ kind : subscript
135+ pattern : $APP.config['SECRET_KEY']
136+ - inside :
137+ stopBy : end
138+ kind : module
139+ all :
140+ - has :
141+ stopBy : end
142+ kind : import_from_statement
143+ pattern : from hashids import Hashids
144+ - any :
145+ - has :
146+ stopBy : end
147+ kind : import_from_statement
148+ pattern : from flask import current_app as $APP
149+ - has :
150+ stopBy : end
151+ kind : expression_statement
152+ has :
153+ stopBy : end
154+ kind : assignment
155+ pattern : $APP = Flask($$$)
156+ Hashids(salt=current_app.config['SECRET_KEY']) :
157+ # from hashids import Hashids
158+ # from flask import current_app
159+ # hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
160+ kind : call
161+ all :
162+ - has :
163+ stopBy : neighbor
164+ kind : identifier
165+ regex : ^Hashids$
166+ - has :
167+ stopBy : neighbor
168+ kind : argument_list
169+ has :
170+ stopBy : end
171+ kind : keyword_argument
172+ all :
173+ - has :
174+ stopBy : neighbor
175+ kind : identifier
176+ regex : ^salt$
177+ - has :
178+ stopBy : neighbor
179+ kind : subscript
180+ pattern : current_app.config['SECRET_KEY']
181+ - inside :
182+ stopBy : end
183+ kind : module
184+ all :
185+ - has :
186+ stopBy : end
187+ kind : import_from_statement
188+ pattern : from hashids import Hashids
189+ - has :
190+ stopBy : end
191+ kind : import_from_statement
192+ pattern : from flask import current_app
193+ rule :
194+ kind : call
195+ any :
196+ - matches : hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
197+ - matches : hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
198+ - matches : hashids.Hashids($APP.config['SECRET_KEY'], ...)
199+ - matches : hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
200+ - matches : Hashids(salt=app.config['SECRET_KEY'])
201+ - matches : Hashids(salt=current_app.config['SECRET_KEY'])
0 commit comments