python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret

rules:
  - id: hashids-with-flask-secret
    languages:
      - python
    message: The Flask secret key is used as salt in HashIDs. The HashID mechanism
      is not secure. By observing sufficient HashIDs, the salt used to construct
      them can be recovered. This means the Flask secret key can be obtained by
      attackers, through the HashIDs.
    metadata:
      category: security
      subcategory:
        - vuln
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A02:2021 – Cryptographic Failures
      references:
        - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
        - http://carnage.github.io/2015/08/cryptanalysis-of-hashids
      technology:
        - flask
      likelihood: LOW
      impact: HIGH
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    pattern-either:
      - pattern: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
      - pattern: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
      - patterns:
          - pattern-inside: |
              $APP = flask.Flask(...)
              ...
          - pattern-either:
              - pattern: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
              - pattern: hashids.Hashids($APP.config['SECRET_KEY'], ...)
    severity: ERROR