SONARPY-1681 Symmetric cryptography (#202)

thomas-serre-sonarsource · sonartech · commit 4b7099fd7757 · 2025-04-16T07:00:25.000Z
GitOrigin-RevId: 81dae175fd49be15a7f1c5fd573585010203ecfb
diff --git a/python-checks/src/main/java/org/sonar/python/checks/RobustCipherAlgorithmCheck.java b/python-checks/src/main/java/org/sonar/python/checks/RobustCipherAlgorithmCheck.java
@@ -44,7 +44,7 @@
 public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
 
   private static final String MESSAGE = "Use a strong cipher algorithm.";
-
+  private static final Set<String> INSECURE_CIPHERS_PREFIXES = Set.of("cryptography.hazmat.decrepit.ciphers.");
   private static final Set<String> INSECURE_CIPHERS = Set.of(
     "NULL",
     "aNULL",
@@ -75,21 +75,28 @@ public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
     "Crypto.Cipher.ARC2.new",
     "Crypto.Cipher.ARC4.new",
     "Crypto.Cipher.Blowfish.new",
+    "Crypto.Cipher.XOR.new",
+    "Crypto.Cipher.CAST.new",
     "Crypto.Cipher.DES.new",
     "Crypto.Cipher.DES3.new",
     "Cryptodome.Cipher.ARC2.new",
     "Cryptodome.Cipher.ARC4.new",
     "Cryptodome.Cipher.Blowfish.new",
+    "Cryptodome.Cipher.XOR.new",
+    "Cryptodome.Cipher.CAST.new",
     "Cryptodome.Cipher.DES.new",
     "Cryptodome.Cipher.DES3.new",
     "cryptography.hazmat.primitives.ciphers.algorithms.ARC4",
     "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish",
     "cryptography.hazmat.primitives.ciphers.algorithms.IDEA",
+    "cryptography.hazmat.primitives.ciphers.algorithms.CAST5",
     "cryptography.hazmat.primitives.ciphers.algorithms.TripleDES",
     "pyDes.des",
     "pyDes.triple_des"
   );
 
+
+
   @Override
   public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, RobustCipherAlgorithmCheck::checkCallExpression);
@@ -101,7 +108,7 @@ private static void checkCallExpression(SubscriptionContext subscriptionContext)
       .map(CallExpression::calleeSymbol)
       .map(Symbol::fullyQualifiedName)
       .ifPresent(fullyQualifiedName -> {
-        if (SENSITIVE_CALLEE_FQNS.contains(fullyQualifiedName)) {
+        if (SENSITIVE_CALLEE_FQNS.contains(fullyQualifiedName) || INSECURE_CIPHERS_PREFIXES.stream().anyMatch(fullyQualifiedName::startsWith)) {
           subscriptionContext.addIssue(callExpr.callee(), MESSAGE);
         } else if (SSL_SET_CIPHERS_FQN.equals(fullyQualifiedName)) {
           checkForInsecureCiphers(subscriptionContext, callExpr);
diff --git a/python-checks/src/test/resources/checks/robustCipherAlgorithm.py b/python-checks/src/test/resources/checks/robustCipherAlgorithm.py
@@ -1,6 +1,5 @@
-
 def pycryptodomex_examples():
-  from Cryptodome.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES
+  from Cryptodome.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES, CAST
   from Cryptodome.Random import get_random_bytes
 
   key = b'-8B key-'
@@ -23,6 +22,10 @@ def pycryptodomex_examples():
   cipher = Blowfish.new(key, Blowfish.MODE_CBC) # Noncompliant {{Use a strong cipher algorithm.}}
   #        ^^^^^^^^^^^^
 
+  key = os.urandom(16)
+  cipher = CAST.new(key, CAST.MODE_OPENPGP)  # Noncompliant {{Use a strong cipher algorithm.}}
+  #        ^^^^^^^^
+
   key = b'Sixteen byte key'
   cipher = AES.new(key, AES.MODE_CCM) # Compliant
 
@@ -35,7 +38,7 @@ def pycryptodomex_examples():
 
 # pycryptodome is a drop-in replacement for pycrpypto, currently those two libraries are not differentiated
 def pycroptodome_examples():
-  from Crypto.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES
+  from Crypto.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES, CAST, XOR
   from Crypto.Random import get_random_bytes
 
   key = b'-8B key-'
@@ -55,9 +58,18 @@ def pycroptodome_examples():
   cipher = Blowfish.new(key, Blowfish.MODE_CBC) # Noncompliant {{Use a strong cipher algorithm.}}
   #        ^^^^^^^^^^^^
 
+  key = os.urandom(16)
+  cipher = CAST.new(key, CAST.MODE_OPENPGP)  # Noncompliant {{Use a strong cipher algorithm.}}
+  #        ^^^^^^^^
+
+  key = os.urandom(16)
+  cipher = XOR.new(key)  # Noncompliant {{Use a strong cipher algorithm.}}
+  #        ^^^^^^^
+
 def pyca_examples():
   import os
   from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+  from cryptography.hazmat.decrepit.ciphers.algorithms import AnyAlgoFromDeprecitModule
   from cryptography.hazmat.backends import default_backend
 
   key = os.urandom(16)
@@ -69,6 +81,10 @@ def pyca_examples():
   #            ^^^^^^^^^^^^^^^^^^^
   rc42 = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend()) # Noncompliant {{Use a strong cipher algorithm.}}
   #             ^^^^^^^^^^^^^^^
+  casts5 = Cipher(algorithms.CAST5(key), mode=None, backend=default_backend())  # Noncompliant {{Use a strong cipher algorithm.}}
+  #               ^^^^^^^^^^^^^^^^
+  deprecit = Cipher(AnyAlgoFromDeprecitModule(key), mode=None, backend=default_backend())  # Noncompliant {{Use a strong cipher algorithm.}}
+  #                 ^^^^^^^^^^^^^^^^^^^^^^^^^
 
 def pydes_examples():
   import pyDes;
