Add security hint group - enabled by default#1681
Open
mgajda wants to merge 1 commit into
Open
Conversation
…untrusted input
data/hlint.yaml: new group 'security', enabled: true.
Rules:
read x -> Text.Read.readMaybe x side: not (isLitString x) CWE-502
reads x -> Text.Read.readMaybe x side: not (isLitString x) CWE-502
Crypto.Hash.MD5.hash -> Crypto.Hash.SHA256.hash CWE-327
Crypto.Hash.MD5.hashlazy -> Crypto.Hash.SHA256.hashlazy CWE-327
Crypto.Hash.SHA1.hash -> Crypto.Hash.SHA256.hash CWE-327
Crypto.Hash.SHA1.hashlazy -> Crypto.Hash.SHA256.hashlazy CWE-327
Data.Digest.Pure.MD5.md5 -> Crypto.Hash.SHA256.hashlazy CWE-327
Data.Digest.Pure.SHA.sha1 -> Data.Digest.Pure.SHA.sha256 CWE-327
Disable per-rule via `-i "<name>"` or suppress the whole group with
`- group: {name: security, enabled: false}` in .hlint.yaml.
tests/security.test: four cases.
1. security-hash.hs : all six hash rules fire.
2. security-read-nonliteral.hs: `read x` fires for variable `x`.
3. security-read-literal.hs : `read "42"` and `read "3.14"` do not fire.
4. security-ignored.hs : per-rule -i suppression yields no hints.
Self-test: 974 tests, 3 failures (all pre-existing on master: issue ndmitchell#1674
intercalate/OverloadedStrings and two record-pattern type-application
cases from PR ndmitchell#1680).
Running hlint with the new group on hlint's own source produces one
finding: src/Test/InputOutput.hs:57 `read code` (parsing an EXIT line
from a .test file).
No HSEC advisory on github.com/haskell/security-advisories maps to
CWE-327 or CWE-502 for these function classes.
mgajda
force-pushed
the
feature/security-rules
branch
from
3e34968 to
854c92d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
New group of security rules, enabled by default.
Currently catches two most common pitfalls:
read/readson untrusted string, and use of obsolete hash functions.read xText.Read.readMaybe xnot (isLitString x)reads xText.Read.readMaybe xnot (isLitString x)Crypto.Hash.MD5.hashCrypto.Hash.SHA256.hashCrypto.Hash.MD5.hashlazyCrypto.Hash.SHA256.hashlazyCrypto.Hash.SHA1.hashCrypto.Hash.SHA256.hashCrypto.Hash.SHA1.hashlazyCrypto.Hash.SHA256.hashlazyData.Digest.Pure.MD5.md5Crypto.Hash.SHA256.hashlazyData.Digest.Pure.SHA.sha1Data.Digest.Pure.SHA.sha256Disable per-rule via
-i "<name>"or suppress the whole group with- group: {name: security, enabled: false}in.hlint.yaml.tests/security.test: four cases.security-hash.hs— all six hash rules fire.security-read-nonliteral.hs—read xfires for variablex.security-read-literal.hs—read "42"andread "3.14"do not fire.security-ignored.hs— per-rule-isuppression yields no hints.Self-test: 974 tests, 3 failures (all pre-existing on master: issue #1674 intercalate/OverloadedStrings and two record-pattern type-application cases from PR #1680).
Running hlint with the new group on hlint's own source produces one finding:
src/Test/InputOutput.hs:57read code(parsing an EXIT line from a.testfile).No HSEC advisory on github.com/haskell/security-advisories maps to CWE-327 or CWE-502 for these function classes.