Initial commit

src/security_demo/crypto_utils.py

@@ -0,0 +1,109 @@
+"""Cryptography utilities - streamlined version.
+
+FINDING CLASSIFICATIONS:
+- TRUE POSITIVE (TP): Actual security vulnerability
+- FALSE POSITIVE (FP): Flagged but not a real issue in context
+- UNCERTAIN: Could be either depending on deployment context
+"""
+
+import os
+import random
+import secrets
+import ssl
+import string
+from typing import Tuple
+
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
+
+# =============================================================================
+# HARDCODED SECRET PATTERNS
+# =============================================================================
+
+
+# TP: Hardcoded production key
+PRODUCTION_KEY = b"aK9$mX2#pL7@nQ4&wE8*rT5%yU1!oI3^"
+
+# FP: Example/placeholder key clearly marked
+EXAMPLE_KEY = "REPLACE_THIS_KEY_IN_PRODUCTION"
+
+# FP: Test key with test prefix
+TEST_API_KEY = "test_sk_4eC39HqLyjWDarjtT1zdp7dc"
+
+# UNCERTAIN: Looks real but might be intentionally fake
+BACKUP_KEY = "bkp_2024_xK9mP2sL7nQ4wE8rT5yU1oI3aB6cD"
+
+
+# =============================================================================
+# RANDOM NUMBER PATTERNS
+# =============================================================================
+
+
+def generate_session_token_insecure() -> str:
+    """TP: Using random for session token."""
+    chars = string.ascii_letters + string.digits
+    return "".join(random.choice(chars) for _ in range(32))
+
+
+def generate_otp_insecure() -> str:
+    """TP: Using random for OTP."""
+    return str(random.randint(100000, 999999))
+
+
+def generate_session_token_secure() -> str:
+    """FP: Using secrets for session token."""
+    return secrets.token_urlsafe(32)
+
+
+def shuffle_playlist(songs: list) -> list:
+    """FP: random is fine for non-security shuffling."""
+    result = songs.copy()
+    random.shuffle(result)
+    return result
+
+
+def roll_dice() -> int:
+    """FP: random for game mechanics."""
+    return random.randint(1, 6)
+
+
+# =============================================================================
+# CIPHER MODE PATTERNS
+# =============================================================================
+
+
+def encrypt_ecb(key: bytes, data: bytes) -> bytes:
+    """TP: ECB mode reveals patterns."""
+    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
+    encryptor = cipher.encryptor()
+    return encryptor.update(data) + encryptor.finalize()
+
+
+def encrypt_cbc_random_iv(key: bytes, data: bytes) -> Tuple[bytes, bytes]:
+    """FP: CBC with random IV is secure."""
+    iv = os.urandom(16)
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    encryptor = cipher.encryptor()
+    return iv, encryptor.update(data) + encryptor.finalize()
+
+
+# =============================================================================
+# SSL/TLS PATTERNS
+# =============================================================================
+
+
+def create_insecure_context() -> ssl.SSLContext:
+    """TP: Certificate verification disabled."""
+    context = ssl.create_default_context()
+    context.check_hostname = False
+    context.verify_mode = ssl.CERT_NONE
+    return context
+
+
+def create_secure_context() -> ssl.SSLContext:
+    """FP: Properly configured secure context."""
+    context = ssl.create_default_context()
+    context.check_hostname = True
+    context.verify_mode = ssl.CERT_REQUIRED
+    return context