-
-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
B324: hashlib_new not checking for SHA1 #560
Labels
Milestone
Comments
ericwb
added a commit
that referenced
this issue
Jan 9, 2020
The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes #560 Signed-off-by: Eric Brown <browne@vmware.com>
Glyphack
pushed a commit
to Glyphack/bandit
that referenced
this issue
Feb 27, 2020
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
Glyphack
pushed a commit
to Glyphack/bandit
that referenced
this issue
Feb 27, 2020
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Aug 25, 2021
The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Aug 25, 2021
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Jan 7, 2022
The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Jan 7, 2022
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
SHA1 has known weaknesses and a proven exploit. We already include SHA1 as a blacklisted call from hashlib, but it's not part of hashlib_new plugin (B324)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Should also check for SHA1 and have an updated unit test
Bandit version
The text was updated successfully, but these errors were encountered: