Skip to content

Commit

Permalink
Add documentation to the S3XX rules (#5592)
Browse files Browse the repository at this point in the history 
## Summary

Add documentation to the `S3XX` rules (the `flake8-bandit`
['blacklists'](https://bandit.readthedocs.io/en/latest/plugins/index.html#plugin-id-groupings)
rule group). Related to #2646 .

Changed the `lxml`-based message to reflect that [`defusedxml` doesn't
support `lxml`](tiran/defusedxml#31).

## Test Plan

`python scripts/check_docs_formatted.py && mkdocs serve`
  • Loading branch information
@tjkuson
tjkuson authored Jul 11, 2023
1 parent 511ec0d commit f8173da
Show file tree
Hide file tree
Showing 2 changed files with 650 additions and 1 deletion.
38 changes: 38 additions & 0 deletions crates/ruff/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,44 @@ use crate::checkers::ast::Checker;

use super::super::helpers::string_literal;

/// ## What it does
/// Checks for uses of weak or broken cryptographic hash functions.
///
/// ## Why is this bad?
/// Weak or broken cryptographic hash functions may be susceptible to
/// collision attacks (where two different inputs produce the same hash) or
/// pre-image attacks (where an attacker can find an input that produces a
/// given hash). This can lead to security vulnerabilities in applications
/// that rely on these hash functions.
///
/// Avoid using weak or broken cryptographic hash functions in security
/// contexts. Instead, use a known secure hash function such as SHA256.
///
/// ## Example
/// ```python
/// import hashlib
///
///
/// def certificate_is_valid(certificate: bytes, known_hash: str) -> bool:
/// hash = hashlib.md5(certificate).hexdigest()
/// return hash == known_hash
/// ```
///
/// Use instead:
/// ```python
/// import hashlib
///
///
/// def certificate_is_valid(certificate: bytes, known_hash: str) -> bool:
/// hash = hashlib.sha256(certificate).hexdigest()
/// return hash == known_hash
/// ```
///
/// ## References
/// - [Python documentation: `hashlib` — Secure hashes and message digests](https://docs.python.org/3/library/hashlib.html)
/// - [Common Weakness Enumeration: CWE-327](https://cwe.mitre.org/data/definitions/327.html)
/// - [Common Weakness Enumeration: CWE-328](https://cwe.mitre.org/data/definitions/328.html)
/// - [Common Weakness Enumeration: CWE-916](https://cwe.mitre.org/data/definitions/916.html)
#[violation]
pub struct HashlibInsecureHashFunction {
string: String,
Expand Down
Loading

0 comments on commit f8173da

Please sign in to comment.