Hmac allows hashlib hashes as digest (#105)

Signed-off-by: Eric Brown <eric.brown@securesauce.dev>

Author: ericwb

precli/rules/python/stdlib/hmac/hmac_weak_hash.py

@@ -81,6 +81,13 @@
 
 
 WEAK_HASHES = ("md4", "md5", "ripemd160", "sha", "sha1")
+HASHLIB_WEAK_HASHES = (
+    "hashlib.md4",
+    "hashlib.md5",
+    "hashlib.ripemd160",
+    "hashlib.sha",
+    "hashlib.sha1",
+)
 
 
 class HmacWeakHash(Rule):
@@ -108,33 +115,37 @@ def analyze(self, context: dict, **kwargs: dict) -> Result:
             """
             hmac.new(key, msg=None, digestmod='')
             """
-            name = call.get_argument(position=2, name="digestmod").value
+            argument = call.get_argument(position=2, name="digestmod")
+            digestmod = argument.value
 
-            # TODO(ericwb): can hashlib.md5 be passed as digestmod?
-
-            if isinstance(name, str) and name.lower() in WEAK_HASHES:
+            if (
+                isinstance(digestmod, str) and digestmod.lower() in WEAK_HASHES
+            ) or digestmod in HASHLIB_WEAK_HASHES:
                 return Result(
                     rule_id=self.id,
                     location=Location(
                         file_name=context["file_name"],
-                        node=call.function_node,
+                        node=argument.node,
                     ),
                     level=Level.ERROR,
-                    message=self.message.format(name),
+                    message=self.message.format(digestmod),
                 )
         elif call.name_qualified in ["hmac.digest"]:
             """
             hmac.digest(key, msg, digest)
             """
-            name = call.get_argument(position=2, name="digest").value
+            argument = call.get_argument(position=2, name="digest")
+            digest = argument.value
 
-            if isinstance(name, str) and name.lower() in WEAK_HASHES:
+            if (
+                isinstance(digest, str) and digest.lower() in WEAK_HASHES
+            ) or digest in HASHLIB_WEAK_HASHES:
                 return Result(
                     rule_id=self.id,
                     location=Location(
                         file_name=context["file_name"],
-                        node=call.function_node,
+                        node=argument.node,
                     ),
                     level=Level.ERROR,
-                    message=self.message.format(name),
+                    message=self.message.format(digest),
                 )

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_blake2b.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.blake2b)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_blake2s.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.blake2s)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_md4.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.md4)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_md5.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.md5)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_ripemd160.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.ripemd160)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_sha.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.sha)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_sha1.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.sha1)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_sha224.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.sha224)

tests/unit/rules/python/stdlib/hmac/examples/hmac_digest_hashlib_sha256.py

@@ -0,0 +1,7 @@
+import hashlib
+import hmac
+
+
+key = b"my-secret-key"
+message = b"Hello, world!"
+hmac.digest(key, message, digest=hashlib.sha256)