SONARPY-2783: [S2053] Raise for salt = password for pyca/cryptography (#203)

joke1196 · sonartech · commit 1805c54e0adb · 2025-04-16T14:18:31.000Z
GitOrigin-RevId: 8b2c434365166affb5ab6b28780ba31e019cb84d
diff --git a/python-checks/src/main/java/org/sonar/python/checks/PredictableSaltCheck.java b/python-checks/src/main/java/org/sonar/python/checks/PredictableSaltCheck.java
@@ -18,27 +18,34 @@
 
 import java.util.ArrayList;
 import java.util.Map;
+import java.util.List;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.ArgList;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
 import org.sonar.plugins.python.api.tree.RegularArgument;
 import org.sonar.plugins.python.api.tree.StringLiteral;
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.plugins.python.api.tree.UnpackingExpression;
 import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.TreeUtils;
+import org.sonar.plugins.python.api.types.v2.TriBool;
+import org.sonar.python.types.v2.TypeCheckBuilder;
 import org.sonar.python.types.v2.TypeCheckMap;
 
 @Rule(key = "S2053")
 public class PredictableSaltCheck extends PythonSubscriptionCheck {
 
   private static final String MISSING_SALT_MESSAGE = "Add an unpredictable salt value to this hash.";
   private static final String PREDICTABLE_SALT_MESSAGE = "Make this salt unpredictable.";
+  private static final String DIFFERENT_SALT_THAN_KEY_MATERIAL_MESSAGE = "Make this salt different than the derived key material.";
+  private static final String SALT_IS_USED_HERE_MESSAGE = "The salt is used in the derive method here.";
   private static final String SALT_ARGUMENT_NAME = "salt";
   private static final String PASSWORD_ARGUMENT_NAME = "password";
 
@@ -53,8 +60,11 @@ public class PredictableSaltCheck extends PythonSubscriptionCheck {
     Map.entry("Cryptodome.Protocol.KDF.bcrypt", new ArgumentInfo(2, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))),
     Map.entry("Crypto.Protocol.KDF.PBKDF2", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))),
     Map.entry("Crypto.Protocol.KDF.scrypt", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))),
-    Map.entry("Crypto.Protocol.KDF.bcrypt", new ArgumentInfo(2, SALT_ARGUMENT_NAME, false, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME)))
-  );
+    Map.entry("Crypto.Protocol.KDF.bcrypt", new ArgumentInfo(2, SALT_ARGUMENT_NAME, false, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))));
+
+  private static final List<String> SENSITIVE_DERIVE_FUNCTIONS_FQN = List.of(
+    "cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC.derive",
+    "cryptography.hazmat.primitives.kdf.scrypt.Scrypt.derive");
 
   private static final Map<String, ArgumentInfo> SALT_FUNCTION_ARGUMENTS_TO_CHECK = Map.of(
     "bytes.fromhex", new ArgumentInfo(0, "__string"),
@@ -64,25 +74,25 @@ public class PredictableSaltCheck extends PythonSubscriptionCheck {
     "base64.b32encode", new ArgumentInfo(0, "s"),
     "base64.b32decode", new ArgumentInfo(0, "s"),
     "base64.b16encode", new ArgumentInfo(0, "s"),
-    "base64.b16decode", new ArgumentInfo(0, "s")
-  );
+    "base64.b16decode", new ArgumentInfo(0, "s"));
 
   @Override
   public void initialize(Context context) {
     var sensitiveArgumentByFqnCheck = new TypeCheckMap<ArgumentInfo>();
     var saltFunctionArgumentsToCheck = new TypeCheckMap<ArgumentInfo>();
+    var deriveFunctionsToCheck = new ArrayList<TypeCheckBuilder>();
     context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, ctx -> initializeTypeChecks(ctx, sensitiveArgumentByFqnCheck,
-      saltFunctionArgumentsToCheck));
+      saltFunctionArgumentsToCheck, deriveFunctionsToCheck));
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, ctx -> handleCallExpression((CallExpression) ctx.syntaxNode(),
       ctx,
       sensitiveArgumentByFqnCheck,
-      saltFunctionArgumentsToCheck
-    ));
+      saltFunctionArgumentsToCheck,
+      deriveFunctionsToCheck));
   }
 
   private static void initializeTypeChecks(SubscriptionContext ctx,
     TypeCheckMap<ArgumentInfo> sensitiveArgumentByFqnCheck,
-    TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck) {
+    TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck, List<TypeCheckBuilder> deriveFunctionsToCheck) {
     SENSITIVE_ARGUMENT_BY_FQN.forEach((fqn, argumentNumber) -> {
       var checker = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn);
       sensitiveArgumentByFqnCheck.put(checker, argumentNumber);
@@ -91,43 +101,98 @@ private static void initializeTypeChecks(SubscriptionContext ctx,
       var checker = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn);
       saltFunctionArgumentsToCheck.put(checker, argumentInfo);
     });
+    SENSITIVE_DERIVE_FUNCTIONS_FQN.forEach(fqn -> {
+      var checker = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(fqn);
+      deriveFunctionsToCheck.add(checker);
+    });
   }
 
   private static void handleCallExpression(CallExpression callExpression, SubscriptionContext ctx,
-    TypeCheckMap<ArgumentInfo> sensitiveArgumentByFqnCheck, TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck) {
+    TypeCheckMap<ArgumentInfo> sensitiveArgumentByFqnCheck, TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck, List<TypeCheckBuilder> deriveFunctionsToCheck) {
     Optional.of(callExpression)
       .map(CallExpression::callee)
       .map(Expression::typeV2)
       .map(sensitiveArgumentByFqnCheck::getForType)
-      .ifPresent(argumentInfo -> checkArguments(callExpression, argumentInfo, ctx, saltFunctionArgumentsToCheck));
+      .ifPresent(argumentInfo -> checkArguments(callExpression, argumentInfo, ctx, saltFunctionArgumentsToCheck, deriveFunctionsToCheck));
   }
 
   private static void checkArguments(CallExpression callExpression, ArgumentInfo argumentInfo, SubscriptionContext ctx,
-    TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck) {
+    TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck, List<TypeCheckBuilder> deriveFunctionsToCheck) {
     var argument = TreeUtils.nthArgumentOrKeyword(argumentInfo.position(), argumentInfo.name(), callExpression.arguments());
     if (argument != null) {
-      var raised = checkSensitiveArgument(argument, ctx, saltFunctionArgumentsToCheck);
-      if (!raised) {
-        Optional.ofNullable(argumentInfo.shouldNotBeSameAsArgument())
-          .map(ai -> TreeUtils.nthArgumentOrKeyword(ai.position(), ai.name(), callExpression.arguments()))
-          .ifPresent(shouldNotBeSameAsArgument -> checkForSameArguments(argument, shouldNotBeSameAsArgument, ctx));
+      if (hasRaisedOnSensitiveArgument(argument, ctx, saltFunctionArgumentsToCheck)) {
+        return;
+      }
+      if (hasRaisedOnSameArgument(argument, argumentInfo, callExpression, ctx)) {
+        return;
+      }
+      if (hasRaisedOnSameSaltAndDerivedKeyMaterial(argument, deriveFunctionsToCheck, ctx)) {
+        return;
       }
+
     } else if (argumentInfo.required() && callExpression.arguments().stream().noneMatch(UnpackingExpression.class::isInstance)) {
       ctx.addIssue(callExpression.callee(), MISSING_SALT_MESSAGE);
     }
   }
 
-  private static void checkForSameArguments(RegularArgument argument, RegularArgument shouldNotBeSameAsArgument, SubscriptionContext ctx) {
+  private static boolean hasRaisedOnSameSaltAndDerivedKeyMaterial(RegularArgument argument, List<TypeCheckBuilder> deriveFunctionsToCheck, SubscriptionContext ctx) {
+    if (!argument.expression().is(Tree.Kind.NAME)) {
+      return false;
+    }
+    var symbol = ((Name) argument.expression()).symbolV2();
+    if (symbol == null) {
+      return false;
+    }
+    var usagesInDeriveCall = symbol.usages().stream()
+      .map(usage -> usage.tree().parent())
+      .flatMap(TreeUtils.toStreamInstanceOfMapper(RegularArgument.class))
+      .filter(regArg -> !regArg.equals(argument))
+      .filter(regArg -> isUsedInDeriveCall(regArg, deriveFunctionsToCheck))
+      .map(RegularArgument::expression)
+      .toList();
+
+    if (usagesInDeriveCall.isEmpty()) {
+      return false;
+    }
+    var issue = ctx.addIssue(argument, DIFFERENT_SALT_THAN_KEY_MATERIAL_MESSAGE);
+    usagesInDeriveCall.stream().forEach(arg -> issue.secondary(arg, SALT_IS_USED_HERE_MESSAGE));
+    return true;
+  }
+
+  private static boolean isUsedInDeriveCall(RegularArgument regularArgument, List<TypeCheckBuilder> deriveFunctionsToCheck) {
+    return Optional.ofNullable(regularArgument.parent())
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(ArgList.class))
+      .map(ArgList::parent)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class))
+      .map(CallExpression::callee)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(QualifiedExpression.class))
+      .map(qualifiedExpr -> deriveFunctionsToCheck.stream()
+        .anyMatch(deriveFunction -> deriveFunction.check(qualifiedExpr.name().typeV2()) == TriBool.TRUE))
+      .orElse(false);
+
+  }
+
+  private static boolean hasRaisedOnSameArgument(RegularArgument argument, ArgumentInfo argumentInfo, CallExpression callExpression, SubscriptionContext ctx) {
+    return Optional.ofNullable(argumentInfo.shouldNotBeSameAsArgument())
+      .map(ai -> TreeUtils.nthArgumentOrKeyword(ai.position(), ai.name(), callExpression.arguments()))
+      .map(shouldNotBeSameAsArgument -> raisedOnSameArgument(argument, shouldNotBeSameAsArgument, ctx))
+      .orElseGet(() -> false);
+
+  }
+
+  private static boolean raisedOnSameArgument(RegularArgument argument, RegularArgument shouldNotBeSameAsArgument, SubscriptionContext ctx) {
     var exp1 = argument.expression();
     var exp2 = shouldNotBeSameAsArgument.expression();
     if (exp1 instanceof Name n1
-        && exp2 instanceof Name n2
-        && n1.symbolV2() == n2.symbolV2()) {
+      && exp2 instanceof Name n2
+      && n1.symbolV2() == n2.symbolV2()) {
       ctx.addIssue(argument, PREDICTABLE_SALT_MESSAGE).secondary(shouldNotBeSameAsArgument, "");
+      return true;
     }
+    return false;
   }
 
-  private static boolean checkSensitiveArgument(RegularArgument regularArgument,
+  private static boolean hasRaisedOnSensitiveArgument(RegularArgument regularArgument,
     SubscriptionContext ctx, TypeCheckMap<ArgumentInfo> saltFunctionArgumentsToCheck) {
     var secondaries = new ArrayList<Tree>();
     var expression = regularArgument.expression();
@@ -163,7 +228,7 @@ private static Expression getCallExpressionArgumentValueToCheck(TypeCheckMap<Arg
       .map(Expression::typeV2)
       .map(saltFunctionArgumentsToCheck::getForType)
       .map(argumentInfo -> Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(argumentInfo.position(), argumentInfo.name(),
-          callExpression.arguments()))
+        callExpression.arguments()))
         .map(RegularArgument::expression)
         .orElse(expression))
       .orElse(null);
@@ -179,5 +244,4 @@ private ArgumentInfo(int position, String name, ArgumentInfo shouldNotBeSameAsAr
     }
   }
 
-
 }
diff --git a/python-checks/src/test/resources/checks/predictableSalt.py b/python-checks/src/test/resources/checks/predictableSalt.py
@@ -75,7 +75,7 @@ def func():
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.backends import default_backend
 
-def scrypt_salt():
+def scrypt_salt(password):
     from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
     Scrypt(
         salt="abc" # Noncompliant {{Make this salt unpredictable.}}
@@ -84,6 +84,18 @@ def scrypt_salt():
         "abc" # Noncompliant {{Make this salt unpredictable.}}
     )
 
+    hasher = Scrypt(
+        salt=password # Noncompliant {{Make this salt different than the derived key material.}}
+    )
+    hasher.derive(password)
+    #            <^^^^^^^^ {{The salt is used in the derive method here.}}
+
+    salt_ = os.urandom(16)
+    hasher = Scrypt(
+        salt=salt_ # Noncompliant {{Make this salt different than the derived key material.}}
+    ).derive(key_material=salt_)
+    #                    <^^^^^ {{The salt is used in the derive method here.}}
+
 def derive_password(password, salt, backend):
     kdf = PBKDF2HMAC(
         algorithm=hashes.SHA256(),
@@ -114,6 +126,27 @@ def derive_password(password, salt, backend):
     )
     key = kdf.derive(password)
 
+    some_salt = os.urandom(16)
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=some_salt,  # FN PBKDF2HMAC stubs are not resolved properly this should be solved with SONARPY-2053
+        iterations=100000,
+        backend=backend
+    )
+    key = kdf.derive(key_material=some_salt)
+
+    other_salt = os.urandom(16)
+    PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=other_salt,  # FN PBKDF2HMAC stubs are not resolved properly this should be solved with SONARPY-2053
+        iterations=100000,
+        backend=backend
+    ).derive(key_material=other_salt)
+
+
+
 salt = os.urandom(16)
 backend = default_backend()
 derive_password(b"my great password", salt, backend)
