Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update warning message for rule S305 to address insecure block cipher mode use #10602

Merged
merged 2 commits into from
Mar 28, 2024

Conversation

mnixry
Copy link
Contributor

@mnixry mnixry commented Mar 26, 2024

Summary

This PR updates the warning message for rule S305 to accurately reflect the security concern over using ECB mode in block ciphers, which is considered insecure compared to other modes like CBC or CTR. The previous message incorrectly mentioned AES as a block cipher mode, which has been corrected to avoid confusion.

Ref:
https://github.com/PyCQA/bandit/blob/c85576d903c213859634f4fbcb6304042442e62a/bandit/blacklists/calls.py#L99-L102

/// ## What it does
/// Checks for uses of weak or broken cryptographic cipher modes.
///
/// ## Why is this bad?
/// Weak or broken cryptographic ciphers may be susceptible to attacks that
/// allow an attacker to decrypt ciphertext without knowing the key or
/// otherwise compromise the security of the cipher, such as forgeries.
///
/// Use strong, modern cryptographic ciphers instead of weak or broken ones.
///
/// ## Example
/// ```python
/// from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
///
/// algorithm = algorithms.ARC4(key)
/// cipher = Cipher(algorithm, mode=modes.ECB(iv))
/// encryptor = cipher.encryptor()
/// ```
///
/// Use instead:
/// ```python
/// from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
///
/// algorithm = algorithms.ARC4(key)
/// cipher = Cipher(algorithm, mode=modes.CTR(iv))
/// encryptor = cipher.encryptor()
/// ```
///
/// ## References
/// - [Common Weakness Enumeration: CWE-327](https://cwe.mitre.org/data/definitions/327.html)

Test Plan

No testing required as the change is limited to a minor change of warning message update.

Copy link
Contributor

ruff-ecosystem results

Linter (stable)

✅ ecosystem check detected no linter changes.

Linter (preview)

✅ ecosystem check detected no linter changes.

Copy link
Member

@charliermarsh charliermarsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks right to me!

@charliermarsh charliermarsh added the documentation Improvements or additions to documentation label Mar 28, 2024
@charliermarsh charliermarsh merged commit cce25ec into astral-sh:main Mar 28, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants