SONARPY-1705 Add support for Django to S5344 (#192)

GitOrigin-RevId: 0b6c5f152c2f78874a6d01e5a4e6f2385e1db925

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java

@@ -19,14 +19,17 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
+import java.util.stream.Stream;
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.tree.AssignmentStatement;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.ExpressionList;
+import org.sonar.plugins.python.api.tree.ListLiteral;
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.QualifiedExpression;
 import org.sonar.plugins.python.api.tree.RegularArgument;
@@ -54,12 +57,21 @@ public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
   private static final String PBKDF2_MESSAGE = "Use at least 100 000 iterations.";
   private static final String ARGON2_MESSAGE = "Use secure Argon2 parameters.";
   private static final String BCRYPT_MESSAGE = "Use strong bcrypt parameters.";
+  private static final String DJANGO_MESSAGE = "Use a secure hashing algorithm to store passwords.";
+
   private static final Set<String> PBKDF2_ALGOS = Set.of(
     "sha1",
     "sha256",
     "sha512"
   );
   private static final String ROUNDS = "rounds";
+  private static final Set<String> DJANGO_FIRST_FORBIDDEN_HASHERS = Set.of(
+    "django.contrib.auth.hashers.SHA1PasswordHasher",
+    "django.contrib.auth.hashers.MD5PasswordHasher",
+    "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher",
+    "django.contrib.auth.hashers.UnsaltedMD5PasswordHasher",
+    "django.contrib.auth.hashers.CryptPasswordHasher"
+  );
 
 
   private static final ArgumentValidator SCRYPT_R = new ArgumentValidator(
@@ -201,11 +213,39 @@ public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
   @Override
   public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::registerTypeCheckers);
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext1 -> {
+      if (!"settings.py".equals(subscriptionContext1.pythonFile().fileName())) {
+        return;
+      }
+      context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, FastHashingOrPlainTextCheck::checkDjangoHasher);
+    });
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, FastHashingOrPlainTextCheck::checkCallExpr);
     context.registerSyntaxNodeConsumer(Tree.Kind.NAME, this::checkName);
     context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, subscriptionContext -> checkAssignment(subscriptionContext, flaskConfigTypeChecker));
   }
 
+  private static void checkDjangoHasher(SubscriptionContext subscriptionContext) {
+    var stmt = (AssignmentStatement) subscriptionContext.syntaxNode();
+    var lhsIsConfig = stmt.lhsExpressions().stream().findFirst()
+      .map(ExpressionList::expressions)
+      .flatMap(list -> list.stream().findFirst())
+      .filter(expression -> expression.is(Tree.Kind.NAME))
+      .filter(name -> "PASSWORD_HASHERS".equals(((Name) name).name()));
+
+    var firstRhsString = Optional.of(stmt.assignedValue())
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(ListLiteral.class))
+      .map(ListLiteral::elements)
+      .map(ExpressionList::expressions)
+      .map(List::stream)
+      .flatMap(Stream::findFirst)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(StringLiteral.class))
+      .filter(stringLiteral -> DJANGO_FIRST_FORBIDDEN_HASHERS.contains(stringLiteral.trimmedQuotesValue()));
+
+    if (lhsIsConfig.isPresent() && firstRhsString.isPresent()) {
+      subscriptionContext.addIssue(firstRhsString.get(), DJANGO_MESSAGE);
+    }
+  }
+
   private void registerTypeCheckers(SubscriptionContext subscriptionContext) {
     argon2CheapestProfileTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("argon2.profiles.CHEAPEST");
     flaskConfigTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isInstanceOf("flask.config.Config");

python-checks/src/test/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheckTest.java

@@ -16,24 +16,30 @@
  */
 package org.sonar.python.checks.hotspots;
 
-import java.util.Collections;
 import org.junit.jupiter.api.Test;
 import org.sonar.python.checks.utils.PythonCheckVerifier;
 
 class FastHashingOrPlainTextCheckTest {
   @Test
   void test() {
-    PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainText.py"), new FastHashingOrPlainTextCheck());
+    PythonCheckVerifier.verify("src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py", new FastHashingOrPlainTextCheck());
   }
 
   @Test
   void cheapestAnywhereImportFrom() {
-    PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2ImportFrom.py"), new FastHashingOrPlainTextCheck());
+    PythonCheckVerifier.verify("src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainTextArgon2ImportFrom.py",
+      new FastHashingOrPlainTextCheck());
   }
 
   @Test
   void cheapestAnywhereImport() {
-    PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py"), new FastHashingOrPlainTextCheck());
+    PythonCheckVerifier.verify("src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainTextArgon2Import.py",
+      new FastHashingOrPlainTextCheck());
   }
 
-}
+  @Test
+  void djangoSettings() {
+    PythonCheckVerifier.verify("src/test/resources/checks/fastHashingOrPlainText/settings.py", new FastHashingOrPlainTextCheck());
+  }
+
+}

…sources/checks/fastHashingOrPlainText.py …ingOrPlainText/fastHashingOrPlainText.pypython-checks/src/test/resources/checks/fastHashingOrPlainText.py renamed to python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py python-checks/src/test/resources/checks/fastHashingOrPlainText.py renamed to python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py

@@ -345,3 +345,14 @@ def flask_config():
 
     some_dict = {}
     some_dict['BCRYPT_LOG_ROUNDS'] = 11
+
+
+## Django
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.Argon2PasswordHasher",
+    "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher"
+]
+
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher",  # OK outside of settings.py
+]

…ks/fastHashingOrPlainTextArgon2Import.py …xt/fastHashingOrPlainTextArgon2Import.pypython-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py renamed to python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainTextArgon2Import.py python-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py renamed to python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainTextArgon2Import.py

@@ -0,0 +1,24 @@
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.Argon2PasswordHasher",  # Compliant
+    "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
+    "django.contrib.auth.hashers.PBKDF2PasswordHasher",
+    "django.contrib.auth.hashers.BCryptSHA256PasswordHasher",
+    "django.contrib.auth.hashers.ScryptPasswordHasher",
+]
+
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher",  # Noncompliant {{Use a secure hashing algorithm to store passwords.}}
+]
+#   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^@-1
+
+NOT_A_HASHER = []
+
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.ScryptPasswordHasher",
+    "django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher"
+]
+
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.CryptPasswordHasher",  # Noncompliant {{Use a secure hashing algorithm to store passwords.}}
+    "django.contrib.auth.hashers.ScryptPasswordHasher",
+]