|
| 1 | +import libcst as cst |
| 2 | + |
| 3 | +from codemodder.codemods.base_codemod import ( |
| 4 | + Metadata, |
| 5 | + ReviewGuidance, |
| 6 | + ToolMetadata, |
| 7 | + ToolRule, |
| 8 | +) |
| 9 | +from codemodder.codemods.libcst_transformer import ( |
| 10 | + LibcstResultTransformer, |
| 11 | + LibcstTransformerPipeline, |
| 12 | + NewArg, |
| 13 | +) |
| 14 | +from codemodder.codemods.semgrep import SemgrepSarifFileDetector |
| 15 | +from codemodder.result import fuzzy_column_match, same_line |
| 16 | +from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id |
| 17 | + |
| 18 | +RSA_KEYSIZE = "2048" |
| 19 | + |
| 20 | + |
| 21 | +class RsaKeySizeTransformer(LibcstResultTransformer): |
| 22 | + change_description = "Change the RSA key size to 2048" |
| 23 | + |
| 24 | + def on_result_found(self, original_node, updated_node): |
| 25 | + if len(original_node.args) < 2: |
| 26 | + return original_node |
| 27 | + |
| 28 | + if original_node.args[1].keyword is None: |
| 29 | + new_args = [original_node.args[0], self.make_new_arg(RSA_KEYSIZE)] |
| 30 | + else: |
| 31 | + new_args = self.replace_args( |
| 32 | + original_node, |
| 33 | + [NewArg(name="key_size", value=RSA_KEYSIZE, add_if_missing=False)], |
| 34 | + ) |
| 35 | + return self.update_arg_target(updated_node, new_args) |
| 36 | + |
| 37 | + def filter_by_result(self, node) -> bool: |
| 38 | + """ |
| 39 | + Special case result-matching for this rule because the SAST |
| 40 | + results returned have a start/end column for the key_size keyword |
| 41 | + within the call, not for the entire call. |
| 42 | + """ |
| 43 | + match node: |
| 44 | + case cst.Call(): |
| 45 | + pos_to_match = self.node_position(node) |
| 46 | + return any( |
| 47 | + self.match_location(pos_to_match, result) |
| 48 | + for result in self.results or [] |
| 49 | + ) |
| 50 | + return False |
| 51 | + |
| 52 | + def match_location(self, pos, result): |
| 53 | + return any( |
| 54 | + same_line(pos, location) and fuzzy_column_match(pos, location) |
| 55 | + for location in result.locations |
| 56 | + ) |
| 57 | + |
| 58 | + |
| 59 | +SemgrepRsaKeySize = SemgrepCodemod( |
| 60 | + metadata=Metadata( |
| 61 | + name="rsa-key-size", |
| 62 | + summary=RsaKeySizeTransformer.change_description.title(), |
| 63 | + description=RsaKeySizeTransformer.change_description.title(), |
| 64 | + review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW, |
| 65 | + tool=ToolMetadata( |
| 66 | + name="Semgrep", |
| 67 | + rules=[ |
| 68 | + ToolRule( |
| 69 | + id=( |
| 70 | + rule_id := "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size" |
| 71 | + ), |
| 72 | + name="insufficient-rsa-key-size", |
| 73 | + url=semgrep_url_from_id(rule_id), |
| 74 | + ) |
| 75 | + ], |
| 76 | + ), |
| 77 | + references=[], |
| 78 | + ), |
| 79 | + transformer=LibcstTransformerPipeline(RsaKeySizeTransformer), |
| 80 | + detector=SemgrepSarifFileDetector(), |
| 81 | + requested_rules=[rule_id], |
| 82 | +) |
0 commit comments