sdk/python/Cryptography/PyRandom

PyRandom

The random module uses a Mersenne Twister PRNG — NOT suitable for cryptography. random.random, random.choice, random.randint, and SystemRandom(..) should be flagged for security contexts. Use the secrets module for tokens, passwords, and keys.

5 sinks

Taint flow0 sources → 5 sinks

Sinks — dangerous call

.random()Non-crypto float in [0

.randint()Non-crypto integer in [a, b]

.choice()Non-crypto random choice

.randbytes()Non-crypto random bytes

.seed()Seeds the PRNG

Sinks

— dangerous functions taint must not reach

.random()Sink

Signature

random.random() -> float

Non-crypto float in [0.0, 1.0). Sink for security-relevant randomness.

.randint()Sink

Signature

random.randint(a: int, b: int) -> int

Non-crypto integer in [a, b]. Sink for security-relevant randomness.

.choice()Sink

Signature

random.choice(seq)

Non-crypto random choice. Sink for tokens / passwords / keys.

.randbytes()Sink

Signature

random.randbytes(n: int) -> bytes

Non-crypto random bytes. Sink for cryptographic use.

.seed()Sink

Signature

random.seed(a=None, version=2) -> None

Seeds the PRNG. Findings when seeded with predictable value for security-sensitive randomness.

Fully-Qualified Names

FQN	Field
random	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyRandom

← PreviousPyPysftp

Next →PyRequestsOauthlib