SONARPY-1700 Add support for Argon2 to S5344 (#187)

ghislainpiot · sonartech · commit 713fb784c79e · 2025-04-11T07:54:54.000Z
GitOrigin-RevId: 9fc1d6e48c9376d3a01c8560e729ad18ef5fe0e2
diff --git a/python-checks/src/main/java/org/sonar/python/checks/hotspots/CommonValidationUtils.java b/python-checks/src/main/java/org/sonar/python/checks/hotspots/CommonValidationUtils.java
@@ -59,6 +59,17 @@ static boolean isLessThanExponent(Expression expression, int exponent) {
     return false;
   }
 
+  static boolean isEqualTo(Expression expression, int number) {
+    try {
+      if (expression.is(Tree.Kind.NAME)) {
+        return Expressions.singleAssignedNonNameValue(((Name) expression)).map(value -> isEqualTo(value, number)).orElse(false);
+      }
+      return expression.is(Tree.Kind.NUMERIC_LITERAL) && ((NumericLiteral) expression).valueAsLong() == number;
+    } catch (NumberFormatException nfe) {
+      return false;
+    }
+  }
+
   interface CallValidator {
     void validate(SubscriptionContext ctx, CallExpression callExpression);
   }
diff --git a/python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java b/python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java
@@ -23,27 +23,33 @@
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.AssignmentStatement;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.QualifiedExpression;
 import org.sonar.plugins.python.api.tree.RegularArgument;
 import org.sonar.plugins.python.api.tree.StringLiteral;
 import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.TriBool;
 import org.sonar.python.checks.hotspots.CommonValidationUtils.ArgumentValidator;
 import org.sonar.python.checks.hotspots.CommonValidationUtils.CallValidator;
 import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
 
+import static org.sonar.python.checks.hotspots.CommonValidationUtils.isEqualTo;
 import static org.sonar.python.checks.hotspots.CommonValidationUtils.isLessThan;
 import static org.sonar.python.semantic.SymbolUtils.qualifiedNameOrEmpty;
+import static org.sonar.python.tree.TreeUtils.nthArgumentOrKeyword;
 import static org.sonar.python.tree.TreeUtils.nthArgumentOrKeywordOptional;
 
 @Rule(key = "S5344")
 public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
 
   private static final String SCRYPT_PARAMETERS_MESSAGE = "Use strong scrypt parameters.";
   private static final String PBKDF2_MESSAGE = "Use at least 100 000 iterations.";
+  private static final String ARGON2_MESSAGE = "Use secure Argon2 parameters.";
   private static final Set<String> PBKDF2_ALGOS = Set.of(
     "sha1",
     "sha256",
@@ -136,13 +142,18 @@ public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
   );
 
 
-  private static final Map<String, Collection<CallValidator>> CALL_EXPRESSION_VALIDATORS = Map.of(
-    "scrypt.hash", List.of(SCRYPT_R, SCRYPT_BUFLEN, SCRYPT_N),
-    "hashlib.scrypt", List.of(HASHLIB_R, HASHLIB_N, HASHLIB_DKLEN),
-    "hashlib.pbkdf2_hmac", List.of(HASHLIB_PBKDF2),
-    "cryptography.hazmat.primitives.kdf.scrypt.Scrypt", List.of(CRYPTOGRAPHY_R, CRYPTOGRAPHY_N, CRYPTOGRAPHY_LENGTH),
-    "cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC", List.of(CRYPTOGRAPHY_PBKDF2),
-    "passlib.hash.scrypt.using", List.of(PASSLIB_BLOCK_SIZE, PASSLIB_ROUNDS)
+  private static final Map<String, Collection<CallValidator>> CALL_EXPRESSION_VALIDATORS = Map.ofEntries(
+    Map.entry("scrypt.hash", List.of(SCRYPT_R, SCRYPT_BUFLEN, SCRYPT_N)),
+    Map.entry("hashlib.scrypt", List.of(HASHLIB_R, HASHLIB_N, HASHLIB_DKLEN)),
+    Map.entry("hashlib.pbkdf2_hmac", List.of(HASHLIB_PBKDF2)),
+    Map.entry("cryptography.hazmat.primitives.kdf.scrypt.Scrypt", List.of(CRYPTOGRAPHY_R, CRYPTOGRAPHY_N, CRYPTOGRAPHY_LENGTH)),
+    Map.entry("cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC", List.of(CRYPTOGRAPHY_PBKDF2)),
+    Map.entry("passlib.hash.scrypt.using", List.of(PASSLIB_BLOCK_SIZE, PASSLIB_ROUNDS)),
+    Map.entry("argon2.PasswordHasher", List.of(new Argon2PasswordHasherValidator(0, 1, 2))),
+    Map.entry("argon2.Parameters", List.of(new Argon2PasswordHasherValidator(4, 5, 6))),
+    Map.entry("argon2.low_level.hash_secret", List.of(new Argon2PasswordHasherValidator(2, 3, 4))),
+    Map.entry("argon2.low_level.hash_secret_raw", List.of(new Argon2PasswordHasherValidator(2, 3, 4))),
+    Map.entry("passlib.handlers.argon2._Argon2Common.using", List.of(new Argon2PasswordHasherValidator(3, 4, 5)))
   );
 
   private static final Map<String, Collection<CallValidator>> QUALIFIED_EXPR_VALIDATOR = Map.of(
@@ -152,9 +163,32 @@ public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
   );
 
 
+  private TypeCheckBuilder argon2CheapestProfileTypeChecker = null;
   @Override
   public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::registerTypeCheckers);
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, FastHashingOrPlainTextCheck::checkCallExpr);
+    context.registerSyntaxNodeConsumer(Tree.Kind.NAME, this::checkName);
+  }
+
+  private void registerTypeCheckers(SubscriptionContext subscriptionContext) {
+    argon2CheapestProfileTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("argon2.profiles.CHEAPEST");
+  }
+
+  private void checkName(SubscriptionContext subscriptionContext) {
+    var name = (Name) subscriptionContext.syntaxNode();
+    if (argon2CheapestProfileTypeChecker.check(name.typeV2()) != TriBool.TRUE) {
+      return;
+    }
+    var ancestorAssign = ((AssignmentStatement) TreeUtils.firstAncestorOfKind(name, Tree.Kind.ASSIGNMENT_STMT));
+    if (ancestorAssign != null && isChildOf(ancestorAssign, name)) {
+      return;
+    }
+    subscriptionContext.addIssue(name, "Use a secure Argon2 profile.");
+  }
+
+  private static boolean isChildOf(AssignmentStatement ancestorAssign, Name name) {
+    return ancestorAssign.lhsExpressions().stream().flatMap(expressionList -> expressionList.children().stream()).anyMatch(tree -> tree == name);
   }
 
   private static void checkCallExpr(SubscriptionContext subscriptionContext) {
@@ -204,12 +238,36 @@ public void validate(SubscriptionContext ctx, CallExpression callExpression) {
         .ifPresent(arg -> ctx.addIssue(arg, PBKDF2_MESSAGE));
     }
   }
-
   record MissingArgumentValidator(int position, String keywordName, String message) implements CallValidator {
     @Override
     public void validate(SubscriptionContext ctx, CallExpression callExpression) {
       nthArgumentOrKeywordOptional(position, keywordName, callExpression.arguments()).ifPresentOrElse(regularArgument -> {
       }, () -> ctx.addIssue(callExpression.callee(), message));
     }
   }
+
+  record Argon2PasswordHasherValidator(
+    int timeCostPosition,
+    int memoryCostPosition,
+    int parallelismPosition
+  ) implements CallValidator {
+
+    @Override
+    public void validate(SubscriptionContext ctx, CallExpression callExpression) {
+      var timeCostArgument =
+        nthArgumentOrKeyword(timeCostPosition, "time_cost", callExpression.arguments());
+      var memoryCostArgument =
+        nthArgumentOrKeyword(memoryCostPosition, "memory_cost", callExpression.arguments());
+      var parallelismArgument =
+        nthArgumentOrKeyword(parallelismPosition, "parallelism", callExpression.arguments());
+
+      var isTimeCostNOk = timeCostArgument != null && isLessThan(timeCostArgument.expression(), 5);
+      var isMemoryCostNOk = memoryCostArgument != null && isLessThan(memoryCostArgument.expression(), 7168);
+      var isParallelismNOk = parallelismArgument != null && isEqualTo(parallelismArgument.expression(), 1);
+
+      if (isMemoryCostNOk && isTimeCostNOk && isParallelismNOk) {
+        ctx.addIssue(callExpression.callee(), ARGON2_MESSAGE);
+      }
+    }
+  }
 }
diff --git a/python-checks/src/test/java/org/sonar/python/checks/hotspots/CommonValidationUtilsTest.java b/python-checks/src/test/java/org/sonar/python/checks/hotspots/CommonValidationUtilsTest.java
@@ -41,13 +41,17 @@ private static void checkCallExpr(SubscriptionContext ctx) {
             ctx.addIssue(argument, "Argument is less than 10");
           }
         });
+      TreeUtils.nthArgumentOrKeywordOptional(1, "isEqualTo", callExpression.arguments())
+        .ifPresent(argument -> {
+          if (CommonValidationUtils.isEqualTo(argument.expression(), 10)) {
+            ctx.addIssue(argument, "Argument is equal to 10");
+          }
+        });
     }
   }
 
   @Test
   void isLessThan() {
     PythonCheckVerifier.verify("src/test/resources/checks/commonValidationUtils.py", new isLessThanTestCheck());
-
-
   }
 }
diff --git a/python-checks/src/test/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheckTest.java
@@ -26,4 +26,14 @@ void test() {
     PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainText.py"), new FastHashingOrPlainTextCheck());
   }
 
+  @Test
+  void cheapestAnywhereImportFrom() {
+    PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2ImportFrom.py"), new FastHashingOrPlainTextCheck());
+  }
+
+  @Test
+  void cheapestAnywhereImport() {
+    PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py"), new FastHashingOrPlainTextCheck());
+  }
+
 }
diff --git a/python-checks/src/test/resources/checks/commonValidationUtils.py b/python-checks/src/test/resources/checks/commonValidationUtils.py
@@ -8,3 +8,11 @@
 
 var_wrong = "something"
 callExpr(var_wrong)
+
+callExpr(12, 0)
+callExpr(12, 10)  # Noncompliant {{Argument is equal to 10}}
+ten = 10
+callExpr(isEqualTo=ten)  # Noncompliant {{Argument is equal to 10}}
+not_ten = 11
+callExpr(isEqualTo=not_ten)
+callExpr(12, var_wrong)
diff --git a/python-checks/src/test/resources/checks/fastHashingOrPlainText.py b/python-checks/src/test/resources/checks/fastHashingOrPlainText.py
@@ -232,3 +232,74 @@ def passlib():
     pbkdf2_sha256.using(salt)  # Noncompliant
     pbkdf2_sha512.using(salt)  # Noncompliant {{Use at least 100 000 iterations.}}
 #   ^^^^^^^^^^^^^^^^^^^
+
+## Argon2
+
+def not_cheapest():
+    from argon2 import PasswordHasher
+    from argon2.profiles import RFC_9106_HIGH_MEMORY
+    PasswordHasher.from_parameters(RFC_9106_HIGH_MEMORY)
+
+
+def manual_unsafe():
+    from argon2 import PasswordHasher, Parameters
+    PasswordHasher(  # Noncompliant {{Use secure Argon2 parameters.}}
+        time_cost=4,
+        memory_cost=7167,
+        parallelism=1,
+    )
+    PasswordHasher(
+        time_cost=4,
+        memory_cost=7167,
+        parallelism=2,
+    )
+    PasswordHasher(
+        time_cost=4,
+        memory_cost=7167,
+    )
+    PasswordHasher(
+        time_cost=4,
+        parallelism=1,
+    )
+    PasswordHasher(
+        memory_cost=7167,
+        parallelism=1,
+    )
+
+    Parameters(type, version, salt_len, hash_len, 1, 1, 1)  # Noncompliant
+
+    from argon2.low_level import hash_secret, hash_secret_raw
+    hash_secret(  # Noncompliant
+        password,
+        salt,
+        4,
+        7167,
+        1,
+    )
+    hash_secret(
+        password,
+        salt,
+        6,
+        7167,
+        1,
+    )
+
+    hash_secret_raw(  # Noncompliant
+        password,
+        salt,
+        4,
+        7167,
+        1,
+    )
+    hash_secret_raw(
+        password,
+        salt,
+        6,
+        7167,
+        1,
+    )
+
+    from passlib.hash import argon2
+
+    argon2.using(time_cost=4, memory_cost=7167, parallelism=1)  # Noncompliant
+    argon2.using(time_cost=4, memory_cost=7167, parallelism=2)
diff --git a/python-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py b/python-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py
@@ -0,0 +1,9 @@
+from argon2 import PasswordHasher
+import argon2.profiles
+
+some_var = argon2.profiles.CHEAPEST  # Noncompliant {{Use a secure Argon2 profile.}}
+
+#                          ^^^^^^^^@-1
+
+foo(some_var)  # Noncompliant
+#   ^^^^^^^^
diff --git a/python-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2ImportFrom.py b/python-checks/src/test/resources/checks/fastHashingOrPlainTextArgon2ImportFrom.py
@@ -0,0 +1,9 @@
+from argon2 import PasswordHasher
+from argon2.profiles import CHEAPEST  # Noncompliant {{Use a secure Argon2 profile.}}
+
+#                           ^^^^^^^^@-1
+some_var = CHEAPEST  # Noncompliant {{Use a secure Argon2 profile.}}
+#          ^^^^^^^^
+
+foo(some_var)  # Noncompliant
+#   ^^^^^^^^

Original file line number	Diff line number	Diff line change
`@@ -41,13 +41,17 @@ private static void checkCallExpr(SubscriptionContext ctx) {`
`41`	`41`	`ctx.addIssue(argument, "Argument is less than 10");`
`42`	`42`	`}`
`43`	`43`	`});`
	`44`	`+ TreeUtils.nthArgumentOrKeywordOptional(1, "isEqualTo", callExpression.arguments())`
	`45`	`+ .ifPresent(argument -> {`
	`46`	`+ if (CommonValidationUtils.isEqualTo(argument.expression(), 10)) {`
	`47`	`+ ctx.addIssue(argument, "Argument is equal to 10");`
	`48`	`+ }`
	`49`	`+ });`
`44`	`50`	`}`
`45`	`51`	`}`
`46`	`52`
`47`	`53`	`@Test`
`48`	`54`	`void isLessThan() {`
`49`	`55`	`PythonCheckVerifier.verify("src/test/resources/checks/commonValidationUtils.py", new isLessThanTestCheck());`
`50`		`-`
`51`		`-`
`52`	`56`	`}`
`53`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,4 +26,14 @@ void test() {`
`26`	`26`	`PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainText.py"), new FastHashingOrPlainTextCheck());`
`27`	`27`	`}`
`28`	`28`
	`29`	`+ @Test`
	`30`	`+ void cheapestAnywhereImportFrom() {`
	`31`	`+ PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2ImportFrom.py"), new FastHashingOrPlainTextCheck());`
	`32`	`+ }`
	`33`	`+`
	`34`	`+ @Test`
	`35`	`+ void cheapestAnywhereImport() {`
	`36`	`+ PythonCheckVerifier.verify(Collections.singletonList("src/test/resources/checks/fastHashingOrPlainTextArgon2Import.py"), new FastHashingOrPlainTextCheck());`
	`37`	`+ }`
	`38`	`+`
`29`	`39`	`}`