Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add checker to detect flask secrets used as salt for HashIDs #148

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: add checker to detect flask secrets used as salt for HashIDs #148

wants to merge 1 commit into from

Conversation

MashyBasker
Copy link
Collaborator

Test logs:

echo "Testing built-in rules..."
Testing built-in rules...
./bin/globstar test -d checkers/
Running test case: avoid_add.yml
Running test case: avoid_latest.yml
Running test case: avoid_sudo.yml
Running test case: dangerous_eval.yml
Running test case: avoid-marksafe.yml
Running test case: context-autoescape-off.yml
Running test case: filter-issafe.yml
Running test case: format-html-param.yml
Running test case: hashids-with-flask-secret.yml
Running test case: safe-string-extend.yml
All tests passed        globstar.dev/cmd/globstar               coverage: 0.0% of statements
        globstar.dev/pkg/config         coverage: 0.0% of statements
        globstar.dev/pkg/cli            coverage: 0.0% of statements
ok      globstar.dev/pkg/analysis       0.005s  coverage: 22.7% of statements
Total coverage: 13.9%

@vercel Vercel
Copy link

vercel bot commented Feb 27, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
globstar ⬜️ Ignored (Inspect) Visit Preview Feb 27, 2025 6:02pm

sanket-deepsource
sanket-deepsource requested changes Feb 28, 2025
View reviewed changes
checkers/python/hashids-with-flask-secret.yml
@@ -0,0 +1,28 @@
language: py
name: hashids-with-flask-secret
message: Do not use Flask secret key as salt in HashIDs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python's hashids package has been renamed to sqids. We should handle this for both imports.

On another note, maybe we should make this checker generic and handle other libraries as well that people use for creating hashed identifiers?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python's hashids package has been renamed to sqids. We should handle this for both imports.

I’ll push a commit to address this.

On another note, maybe we should make this checker generic and handle other libraries as well that people use for creating hashed identifiers?

That makes sense. I previously added a similar checker for Django. I will review other libraries that might be affected and work on making the checker more generic to cover them as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sanket-deepsource sanket-deepsource sanket-deepsource requested changes

@sourya-deepsource sourya-deepsource Awaiting requested review from sourya-deepsource

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MashyBasker @sanket-deepsource