/
hashids-with-flask-secret.yaml
35 lines (35 loc) · 1.17 KB
/
hashids-with-flask-secret.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
- id: hashids-with-flask-secret
languages:
- python
message: >-
The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure.
By observing sufficient HashIDs, the salt used to construct them can be recovered.
This means the Flask secret key can be obtained by attackers, through the HashIDs.
metadata:
category: security
subcategory:
- vuln
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A02:2021 – Cryptographic Failures
references:
- https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
- http://carnage.github.io/2015/08/cryptanalysis-of-hashids
technology:
- flask
likelihood: LOW
impact: HIGH
confidence: HIGH
pattern-either:
- pattern: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
- pattern: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
- patterns:
- pattern-inside: |
$APP = flask.Flask(...)
...
- pattern-either:
- pattern: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
- pattern: hashids.Hashids($APP.config['SECRET_KEY'], ...)
severity: ERROR