SONARPY-3776: Extend S5344: Detect direct password assignment to Django User model instead of using set_password() or create_user() (#920)

GitOrigin-RevId: b92267be8d757cafc0d293e80871330f844c4a9b

Author: joke1196

python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java

@@ -368,3 +368,43 @@ def flask_config():
 PASSWORD_HASHERS = [
     "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher",  # OK outside of settings.py
 ]
+
+
+## Django User Password
+
+def django_user_password_assignment():
+    from django.contrib.auth.models import User
+
+    user = User()
+    user.username = 'john'
+    user.password = 'mysecretpassword'  # Noncompliant {{Use set_password() or create_user() to properly hash passwords.}}
+    user.save()
+
+    # Compliant - using set_password()
+    user2 = User()
+    user2.set_password('mysecretpassword')
+    user2.save()
+
+    # Compliant - setting other attributes
+    user3 = User()
+    user3.username = 'jane'
+    user3.email = 'jane@example.com'
+
+
+def django_user_create():
+    from django.contrib.auth.models import User
+
+    # Using create() with password argument
+    user = User.objects.create(
+        username='john',
+        password='mysecretpassword'  # Noncompliant {{Use set_password() or create_user() to properly hash passwords.}}
+    )
+
+    # Compliant - using create_user()
+    user = User.objects.create_user(
+        username='john',
+        password='mysecretpassword'
+    )
+
+    # Compliant - using create() without password argument
+    user = User.objects.create(username='john')

python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py

@@ -0,0 +1,72 @@
+
+django.contrib.auth.models�
+
+UserManager&django.contrib.auth.models.UserManager" django.db.models.manager.Manager*�
+create-django.contrib.auth.models.UserManager.create"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager*
+kwargs
+Any*�
+create_user2django.contrib.auth.models.UserManager.create_user"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager**
+username

+builtins.str"builtins.str*Q
+email
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*T
+password
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*
+extra_fields
+Any*�
+create_superuser7django.contrib.auth.models.UserManager.create_superuser"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager**
+username

+builtins.str"builtins.str*Q
+email
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*T
+password
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*
+extra_fields
+Any�
+AbstractBaseUser+django.contrib.auth.models.AbstractBaseUser"django.db.models.base.Model"*SonarPythonAnalyzerFakeStub.CustomStubBase*�

+set_password8django.contrib.auth.models.AbstractBaseUser.set_password"
+None*d
+self
Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*.
+raw_password

+builtins.str"builtins.str*�
+check_password:django.contrib.auth.models.AbstractBaseUser.check_password"
+builtins.bool"builtins.bool*d
+self
Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*.
+raw_password

+builtins.str"builtins.strr^
+password4django.contrib.auth.models.AbstractBaseUser.password
+builtins.str"builtins.str�
+AbstractUser'django.contrib.auth.models.AbstractUser"+django.contrib.auth.models.AbstractBaseUserrZ
+username0django.contrib.auth.models.AbstractUser.username
+builtins.str"builtins.strrT
+email-django.contrib.auth.models.AbstractUser.email
+builtins.str"builtins.strr�

+objects/django.contrib.auth.models.AbstractUser.objectsP
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager�

+Userdjango.contrib.auth.models.User"'django.contrib.auth.models.AbstractUserr�

+objects'django.contrib.auth.models.User.objectsP
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManagere
+AnonymousUser(django.contrib.auth.models.AnonymousUser"*SonarPythonAnalyzerFakeStub.CustomStubBase*�

+__annotations__*django.contrib.auth.models.__annotations__W
+builtins.dict[builtins.str,Any]
+builtins.str"builtins.str
+Any"builtins.dict

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/django.contrib.auth.models.protobuf

@@ -1,5 +1,71 @@
 
-django.contrib.auth*t
+django.contrib.auth�
+AbstractBaseUser+django.contrib.auth.models.AbstractBaseUser"django.db.models.base.Model"*SonarPythonAnalyzerFakeStub.CustomStubBase*�

+set_password8django.contrib.auth.models.AbstractBaseUser.set_password"
+None*d
+self
Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*.
+raw_password

+builtins.str"builtins.str*�
+check_password:django.contrib.auth.models.AbstractBaseUser.check_password"
+builtins.bool"builtins.bool*d
+self
Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*.
+raw_password

+builtins.str"builtins.strr^
+password4django.contrib.auth.models.AbstractBaseUser.password
+builtins.str"builtins.str�
+AbstractUser'django.contrib.auth.models.AbstractUser"+django.contrib.auth.models.AbstractBaseUserrZ
+username0django.contrib.auth.models.AbstractUser.username
+builtins.str"builtins.strrT
+email-django.contrib.auth.models.AbstractUser.email
+builtins.str"builtins.strr�

+objects/django.contrib.auth.models.AbstractUser.objectsP
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManagere
+AnonymousUser(django.contrib.auth.models.AnonymousUser"*SonarPythonAnalyzerFakeStub.CustomStubBase�

+Userdjango.contrib.auth.models.User"'django.contrib.auth.models.AbstractUserr�

+objects'django.contrib.auth.models.User.objectsP
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager�
+
+UserManager&django.contrib.auth.models.UserManager" django.db.models.manager.Manager*�
+create-django.contrib.auth.models.UserManager.create"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager*
+kwargs
+Any*�
+create_user2django.contrib.auth.models.UserManager.create_user"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager**
+username

+builtins.str"builtins.str*Q
+email
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*T
+password
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*
+extra_fields
+Any*�
+create_superuser7django.contrib.auth.models.UserManager.create_superuser"Z
++django.contrib.auth.models.AbstractBaseUser"+django.contrib.auth.models.AbstractBaseUser*Z
+self
P
+&django.contrib.auth.models.UserManager"&django.contrib.auth.models.UserManager**
+username

+builtins.str"builtins.str*Q
+email
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*T
+password
D
+Union[builtins.str,None]

+builtins.str"builtins.str
+None 
*
+extra_fields
+Any*t
 __path__django.contrib.auth.__path__J
 builtins.list[builtins.str]
 builtins.str"builtins.str"builtins.list*�

@@ -8,4 +74,5 @@
 builtins.str"builtins.str
 Any"builtins.dict*.
 
-middlewaredjango.contrib.auth.middleware 

+middlewaredjango.contrib.auth.middleware 
*&
+modelsdjango.contrib.auth.models 

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/django.contrib.auth.protobuf

@@ -7,4 +7,5 @@
 builtins.dict[builtins.str,Any]
 builtins.str"builtins.str
 Any"builtins.dict*
-htmldjango.utils.html 

+htmldjango.utils.html 
*)
+deprecationdjango.utils.deprecation 

python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/django.utils.protobuf

@@ -284,6 +284,16 @@ void package_django() {
     assertThat(responseSymbol.fullyQualifiedName()).isEqualTo("django.http.response.HttpResponse");
   }
 
+  @Test
+  void package_django_contrib_auth() {
+    Map<String, Symbol> djangoAuthSymbols = symbolsForModule("django.contrib.auth.models");
+    assertThat(djangoAuthSymbols).isNotEmpty();
+    Symbol userSymbol = djangoAuthSymbols.get("User");
+    assertThat(userSymbol).isNotNull();
+    assertThat(userSymbol.kind()).isEqualTo(Kind.CLASS);
+    assertThat(userSymbol.fullyQualifiedName()).isEqualTo("django.contrib.auth.models.User");
+  }
+
   @Test
   void return_type_hints() {
     Map<String, Symbol> symbols = symbolsForModule("typing");

python-frontend/src/test/java/org/sonar/python/types/TypeShedTest.java

@@ -1,2 +1,2 @@
-1c8010bc70819847c25235e37ca98a48d47747b77edc77887b1bdd3ee5c49521
-c854205ed8f8a5d5935b2164fd2f15bf962159b9a8045e243aec3c3b4e393e76
+843addd5d5f7af6ecacd2ed21b251d4a89a44fdbdcc9dd2af52fb12939f697fe
+d67269ba8194374e815fa405dfbf957e07d196202cd8d3328d4a5a40f90628b5

python-frontend/typeshed_serializer/checksums/custom.checksum

@@ -6,3 +6,4 @@ import django.conf as conf
 import django.apps as apps
 import django.contrib as contrib
 import django.views as views
+import django.contrib as contrib

python-frontend/typeshed_serializer/resources/custom/django/__init__.pyi

@@ -1 +1,10 @@
 import django.contrib.auth.middleware as middleware
+import django.contrib.auth.models as models
+
+from .models import (
+    AbstractBaseUser as AbstractBaseUser,
+    AbstractUser as AbstractUser,
+    AnonymousUser as AnonymousUser,
+    User as User,
+    UserManager as UserManager,
+)

python-frontend/typeshed_serializer/resources/custom/django/contrib/auth/__init__.pyi

@@ -0,0 +1,36 @@
+from SonarPythonAnalyzerFakeStub import CustomStubBase
+from django.db.models.base import Model
+from django.db.models.manager import Manager
+from typing import Any
+
+class UserManager(Manager):
+    def create(self, **kwargs: Any) -> "AbstractBaseUser": ...
+    def create_user(
+        self,
+        username: str,
+        email: str | None = None,
+        password: str | None = None,
+        **extra_fields: Any,
+    ) -> "AbstractBaseUser": ...
+    def create_superuser(
+        self,
+        username: str,
+        email: str | None = None,
+        password: str | None = None,
+        **extra_fields: Any,
+    ) -> "AbstractBaseUser": ...
+
+class AbstractBaseUser(Model, CustomStubBase):
+    password: str
+    def set_password(self, raw_password: str) -> None: ...
+    def check_password(self, raw_password: str) -> bool: ...
+
+class AbstractUser(AbstractBaseUser):
+    username: str
+    email: str
+    objects: UserManager
+
+class User(AbstractUser):
+    objects: UserManager
+
+class AnonymousUser(CustomStubBase): ...