rspec/rules/S2257/python/rule.adoc

The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++Argon2PasswordHasher++``, ``++BCryptPasswordHasher++``, ... should be used instead.


This rule tracks creation of ``++BasePasswordHasher++`` subclasses for Django applications.

include::../recommended.adoc[]

== Sensitive Code Example

----
class CustomPasswordHasher(BasePasswordHasher):  # Sensitive
    # ...
----

== See

* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++Argon2PasswordHasher++``, ``++BCryptPasswordHasher++``, ... should be used instead.
Nightly update 2021-01-20 04:06:26 +00:00
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule tracks creation of ``++BasePasswordHasher++`` subclasses for Django applications.
Nightly update 2021-01-20 04:06:26 +00:00
			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`class CustomPasswordHasher(BasePasswordHasher): # Sensitive`
			`# ...`
			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`