search

pixee / codemodder-python

Python implementation of the Codemodder framework
GNU Affero General Public License v3.0
32 stars 10 forks source link

Codemod: md5-used-as-password Semgrep #681

Open clavedeluna opened 4 days ago

clavedeluna commented 4 days ago

Running semgrep on pygoat

    ❯❱ python.lang.security.audit.md5-used-as-password.md5-used-as-password
          It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because  
          it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function
          such as scrypt. You can use `hashlib.scrypt`.                                                       
          Details: https://sg.run/5DwD                                                                        

          158┆ password = md5(password.encode()).hexdigest()

We should be able to write a basic transformer to replace md5 with more secure functions to create passwords. Do some research to decide on what's best here.

drdavella commented 4 days ago

This one is difficult to remediate because if the application is using a particular hash algorithm for passwords, and we change that algorithm, it's likely a breaking change for any passwords that are stored in the database with the old hash algorithm.

clavedeluna commented 4 days ago

really good point, I forgot this is the case. Should we close this? At least there's a bread crumb explaining it.