python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the cryptography package it is recommended to use Fernet which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the Cipher class from the hazmat primitives but use the AES algorithm instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-cipher-algorithm-blowfish
    message: Blowfish is a block cipher developed by Bruce Schneier. It is known to
      be susceptible to attacks when using weak keys.  The author has
      recommended that users of Blowfish move to newer algorithms such as AES.
      With the `cryptography` package it is recommended to use `Fernet` which is
      a secure implementation of AES in CBC mode with a 128-bit
      key.  Alternatively, keep using the `Cipher` class from the hazmat
      primitives but use the AES algorithm instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      bandit-code: B304
      references:
        - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers
        - https://tools.ietf.org/html/rfc5469
      category: security
      technology:
        - cryptography
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      functional-categories:
        - crypto::search::symmetric-algorithm::cryptography
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    severity: WARNING
    languages:
      - python
    patterns:
      - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$BLOWFISH($KEY)
      - metavariable-regex:
          metavariable: $BLOWFISH
          regex: ^(Blowfish)$
      - focus-metavariable: $BLOWFISH
    fix: AES

Examples

insecure-cipher-algorithms-blowfish.py

# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py

from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack


# ruleid:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")

# ok:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()