Remove FP/TP identifiers and rename methods and variables
This commit is contained in:
Alexander Braml
@@ -1,10 +1,4 @@
|
||||
"""Cryptography utilities - streamlined version.
|
||||
|
||||
FINDING CLASSIFICATIONS:
|
||||
- TRUE POSITIVE (TP): Actual security vulnerability
|
||||
- FALSE POSITIVE (FP): Flagged but not a real issue in context
|
||||
- UNCERTAIN: Could be either depending on deployment context
|
||||
"""
|
||||
"""Cryptography utilities."""
|
||||
|
||||
import os
|
||||
import random
|
||||
@@ -17,92 +11,68 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# HARDCODED SECRET PATTERNS
|
||||
# =============================================================================
|
||||
PRIMARY_KEY = b"aK9$mX2#pL7@nQ4&wE8*rT5%yU1!oI3^"
|
||||
|
||||
PLACEHOLDER_KEY = "REPLACE_THIS_KEY_IN_PRODUCTION"
|
||||
|
||||
CLIENT_API_KEY = "test_sk_4eC39HqLyjWDarjtT1zdp7dc"
|
||||
|
||||
ROTATION_KEY = "bkp_2024_xK9mP2sL7nQ4wE8rT5yU1oI3aB6cD"
|
||||
|
||||
|
||||
# TP: Hardcoded production key
|
||||
PRODUCTION_KEY = b"aK9$mX2#pL7@nQ4&wE8*rT5%yU1!oI3^"
|
||||
|
||||
# FP: Example/placeholder key clearly marked
|
||||
EXAMPLE_KEY = "REPLACE_THIS_KEY_IN_PRODUCTION"
|
||||
|
||||
# FP: Test key with test prefix
|
||||
TEST_API_KEY = "test_sk_4eC39HqLyjWDarjtT1zdp7dc"
|
||||
|
||||
# UNCERTAIN: Looks real but might be intentionally fake
|
||||
BACKUP_KEY = "bkp_2024_xK9mP2sL7nQ4wE8rT5yU1oI3aB6cD"
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# RANDOM NUMBER PATTERNS
|
||||
# =============================================================================
|
||||
|
||||
|
||||
def generate_session_token_insecure() -> str:
|
||||
"""TP: Using random for session token."""
|
||||
def generate_session_token_random() -> str:
|
||||
"""Build a session token from random characters."""
|
||||
chars = string.ascii_letters + string.digits
|
||||
return "".join(random.choice(chars) for _ in range(32))
|
||||
|
||||
|
||||
def generate_otp_insecure() -> str:
|
||||
"""TP: Using random for OTP."""
|
||||
def generate_otp_random() -> str:
|
||||
"""Build a six-digit one-time code."""
|
||||
return str(random.randint(100000, 999999))
|
||||
|
||||
|
||||
def generate_session_token_secure() -> str:
|
||||
"""FP: Using secrets for session token."""
|
||||
def generate_session_token_secrets() -> str:
|
||||
"""Build a session token using the secrets module."""
|
||||
return secrets.token_urlsafe(32)
|
||||
|
||||
|
||||
def shuffle_playlist(songs: list) -> list:
|
||||
"""FP: random is fine for non-security shuffling."""
|
||||
"""Return a shuffled copy of the playlist."""
|
||||
result = songs.copy()
|
||||
random.shuffle(result)
|
||||
return result
|
||||
|
||||
|
||||
def roll_dice() -> int:
|
||||
"""FP: random for game mechanics."""
|
||||
"""Return a six-sided dice roll."""
|
||||
return random.randint(1, 6)
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# CIPHER MODE PATTERNS
|
||||
# =============================================================================
|
||||
|
||||
|
||||
def encrypt_ecb(key: bytes, data: bytes) -> bytes:
|
||||
"""TP: ECB mode reveals patterns."""
|
||||
"""Encrypt data with AES in ECB mode."""
|
||||
cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
|
||||
encryptor = cipher.encryptor()
|
||||
return encryptor.update(data) + encryptor.finalize()
|
||||
|
||||
|
||||
def encrypt_cbc_random_iv(key: bytes, data: bytes) -> Tuple[bytes, bytes]:
|
||||
"""FP: CBC with random IV is secure."""
|
||||
"""Encrypt data with AES in CBC mode using a random IV."""
|
||||
iv = os.urandom(16)
|
||||
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
|
||||
encryptor = cipher.encryptor()
|
||||
return iv, encryptor.update(data) + encryptor.finalize()
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# SSL/TLS PATTERNS
|
||||
# =============================================================================
|
||||
|
||||
|
||||
def create_insecure_context() -> ssl.SSLContext:
|
||||
"""TP: Certificate verification disabled."""
|
||||
def create_relaxed_context() -> ssl.SSLContext:
|
||||
"""Build an SSL context with verification turned off."""
|
||||
context = ssl.create_default_context()
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
return context
|
||||
|
||||
|
||||
def create_secure_context() -> ssl.SSLContext:
|
||||
"""FP: Properly configured secure context."""
|
||||
def create_strict_context() -> ssl.SSLContext:
|
||||
"""Build an SSL context with hostname verification enabled."""
|
||||
context = ssl.create_default_context()
|
||||
context.check_hostname = True
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
|
||||
Reference in New Issue
Block a user