Skip to content

Update main.py #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
arielkru wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update main.py #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
821412d
Update main.py
arielkru Mar 25, 2024
8f15dfc
Update crypto.js
arielkru Mar 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions javascript/crypto.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ var crypto = require('crypto');

let Rand = new brorand.Rand({getByte: () => 255});
let rand = Rand.rand;
let result= Rand.generate(12);
let result= Rand.generate(12); // check this
Copy link

@bridgecrew-dev bridgecrew-dev bot Mar 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  Encryption keys are less than 16 bytes
    File: crypto.js | Checkov ID: CKV3_SAST_33

Description

CWE: CWE-326: Inadequate Encryption Strength
OWASP: A02:2021-Cryptographic Failures

This policy detects the use of encryption keys with inadequate size in JavaScript. Encryption keys with a size less than 16 bytes may pose a risk of being brute-forced, leading to vulnerabilities like unauthorized access or data breaches.

Some common patterns this policy checks for include the usage of:

  • nacl.randomBytes
  • randomBytes from either the randombytes module or node:crypto
  • getBytesSync from node-forge
  • cryptoRandomString and cryptoRandomStringAsync
  • brorand.Rand instances

Example of violating code:

const nacl = require('tweetnacl');
const key = nacl.randomBytes(8);


randomBytes(12, (err, buf) => {
if (err) throw err;
Expand All @@ -26,10 +26,10 @@ var randKey2 = new Buffer(nacl.randomBytes(12));
const val = crypto.hkdf('sha512', 'key', '',
'info', 64, (err, derivedKey) => {
if (err) throw err;
console.log(Buffer.from(derivedKey).toString('hex'));
console.log(Buffer.from(derivedKey).toString('hex')); // check this
});

crypto.DEFAULT_ENCODING = 'hex';
crypto.DEFAULT_ENCODING = 'hex'; // check this
const key = crypto.scryptSync('password', '', 64, { N: 1024 });

function generateKeyFiles() {
Expand Down Expand Up @@ -87,8 +87,8 @@ input.on('readable', () => {
// hash stream.
const data = input.read();
if (data)
hash.update(data);
hash.update(data); // check this
else {
console.log(`${hash.digest('hex')} ${filename}`);
}
});
});
4 changes: 4 additions & 0 deletions python/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
tar_file = '/file.tax*'
os.system(tar_file)


assert(True)
Copy link

@bridgecrew-dev bridgecrew-dev bot Mar 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  Improper handling of checking for unusual or exceptional conditions
    File: main.py | Checkov ID: CKV3_SAST_4

Description

CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions

The assert statement in Python is used for debugging purposes. It lets you test if a certain condition is met, and if not, the program will raise an AssertionError exception.

The main problem with assert is that it can be globally disabled with the -O (optimize) option in Python, or by setting the environment variable PYTHONOPTIMIZE to a non-empty string. This means that when Python code is run in optimized mode, all assert statements are ignored.

Therefore, if you're using assert to check for conditions that should prevent the program from continuing (for example, validating user input or checking configuration files), those checks will be skipped in optimized mode, which could lead to incorrect program behavior or even security vulnerabilities.

Here is an example of problematic code:

def process_data(data):
    assert data is not None, "Data must not be None"
    # Continue with processing...

In this code, if Python is run with optimization enabled, the assert statement will be ignored, and the process_data function will proceed even if data is None, which could cause errors later on.


KEY_SIZE = 1024
private_rsa_key = rsa.generate_private_key(
public_exponent=65537,
Expand All @@ -28,6 +31,7 @@
private_dsa_key_2 = DSA.generate(bits=KEY_SIZE)

assert(private_dsa_key_2 == private_dsa_key)
assert(True)
Copy link

@bridgecrew-dev bridgecrew-dev bot Mar 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  Improper handling of checking for unusual or exceptional conditions
    File: main.py | Checkov ID: CKV3_SAST_4

Description

CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions

The assert statement in Python is used for debugging purposes. It lets you test if a certain condition is met, and if not, the program will raise an AssertionError exception.

The main problem with assert is that it can be globally disabled with the -O (optimize) option in Python, or by setting the environment variable PYTHONOPTIMIZE to a non-empty string. This means that when Python code is run in optimized mode, all assert statements are ignored.

Therefore, if you're using assert to check for conditions that should prevent the program from continuing (for example, validating user input or checking configuration files), those checks will be skipped in optimized mode, which could lead to incorrect program behavior or even security vulnerabilities.

Here is an example of problematic code:

def process_data(data):
    assert data is not None, "Data must not be None"
    # Continue with processing...

In this code, if Python is run with optimization enabled, the assert statement will be ignored, and the process_data function will proceed even if data is None, which could cause errors later on.


program = 'a = 5\nb=10\nprint("Sum =", a+b)'
exec(program)
Expand Down