Python: Add example of test-code with weak crypto key

RasmusWL · RasmusWL · commit bfc8ead6673e · 2021-02-19T15:04:14.000+01:00
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected b/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected
@@ -1,3 +1,4 @@
+| test_example.py:7:5:7:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | test_example.py:7:18:7:21 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:68:1:68:21 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:69:1:69:19 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:24 | ControlFlowNode for Attribute() | 163 |
 | weak_crypto.py:70:1:70:28 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
@@ -7,3 +8,4 @@
 | weak_crypto.py:76:1:76:22 | ControlFlowNode for Attribute() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:77:1:77:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:84:12:84:29 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
+| weak_crypto.py:95:12:95:29 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | test_example.py:9:23:9:26 | ControlFlowNode for IntegerLiteral | 1024 |
diff --git a/python/ql/test/query-tests/Security/CWE-326/test_example.py b/python/ql/test/query-tests/Security/CWE-326/test_example.py
@@ -0,0 +1,9 @@
+from Cryptodome.PublicKey import RSA
+
+from weak_crypto import only_used_by_test
+
+def test_example():
+    # This is technically not ok, but since it's in a test, we don't want to alert on it
+    RSA.generate(1024)
+
+    only_used_by_test(1024)
diff --git a/python/ql/test/query-tests/Security/CWE-326/weak_crypto.py b/python/ql/test/query-tests/Security/CWE-326/weak_crypto.py
@@ -88,3 +88,8 @@ def make_new_rsa_key_weak(bits):
 def make_new_rsa_key_strong(bits):
     return RSA.generate(bits) # OK
 make_new_rsa_key_strong(RSA_STRONG)
+
+
+def only_used_by_test(bits):
+    # Although this call will technically not be ok, since it's only used in a test, we don't want to alert on it.
+    return RSA.generate(bits)
