Cryptography

Third-party Python package module — auth0. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Authlib is a comprehensive OAuth / OpenID / JWT library. JsonWebToken.decode() and the OAuth client Client.parse_request_body_response track access-token flows.

The crypt module (deprecated in 3.11, removed in 3.13). crypt.crypt() wraps the Unix crypt(3) call. Most default methods are weak (DES, MD5). Use passlib or hashlib.scrypt / pbkdf2_hmac instead.

The cryptography package provides recipes (Fernet) and primitives (hazmat). Fernet is the recommended symmetric encryption helper. Findings arise when hazmat primitives are used with obsolete algorithms (MD5, DES, RC4) or ECB mode.

The getpass module. getpass.getpass() prompts for a password without echoing. getpass.getuser() returns the current user — source when used for authorization decisions.

The hashlib module provides cryptographic hash functions. md5 and sha1 are cryptographically broken — findings for password hashing / signature use. For password hashing use hashlib.scrypt, pbkdf2_hmac, or the passlib / argon2-cffi packages.

The hmac module for keyed message authentication. compare_digest is the only constant-time comparison helper — using ordinary == for MAC comparison is a timing-attack sink.

hvac is the Python client for HashiCorp Vault. Client.secrets.kv.v2.read_secret_version reads a secret — the returned payload is a source. Client() with verify=False disables TLS verification (major finding).

Third-party Python package module — jks. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

python-jose implements JWT / JWS / JWE. jwt.decode() is the canonical validation entry point. Finding when algorithms=['none'] is passed (unsigned token acceptance) or verify_signature=False.

Third-party Python package module — jwcrypto. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

oauthlib implements the OAuth 1 / OAuth 2 protocols. WebApplicationClient.parse_request_uri_response extracts the authorization code from the callback URL — source for subsequent token exchange.

paramiko is the SSH / SFTP client for Python. SSHClient.set_missing_host_key_policy with AutoAddPolicy() silently trusts unknown hosts — MITM risk. exec_command() is a command-execution sink when the command is user-controlled.

Third-party Python package module — passpy. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

PyJWT decodes and validates JWTs. jwt.decode() with algorithms=['none'] or options={'verify_signature': False} accepts unsigned tokens — major finding. Always pass algorithms explicitly.

pysftp wraps paramiko with a simpler SFTP interface. Connection(host, cnopts=...) with CnOpts.hostkeys=None disables host-key checking — MITM finding.

The random module uses a Mersenne Twister PRNG — NOT suitable for cryptography. random.random, random.choice, random.randint, and SystemRandom(..) should be flagged for security contexts. Use the secrets module for tokens, passwords, and keys.

Third-party Python package module — requests_oauthlib. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The secrets module provides cryptographically strong random values suitable for managing authentication tokens. Use secrets instead of the random module for session IDs, tokens, and CSRF nonces.

The ssl module for TLS / SSL. SSLContext with verify_mode=CERT_NONE disables certificate validation (MITM risk). _create_unverified_context() is an explicit bypass — finding for any production code. Use create_default_context() for sane defaults.

Third-party Python package module — tgcrypto. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

werkzeug.security provides generate_password_hash and check_password_hash. The default method is pbkdf2:sha256 with 600_000 iterations. Findings arise when method='plain' or a weak hasher is passed explicitly.

Third-party Python package module — zxcvbn. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.