language: py
name: hashid-with-django-secret
message: Detected usage of Django secret as salt in HashID
category: security

pattern: |
  (call
    function: (identifier) @hashid
    arguments: (argument_list
      (_)*
      (attribute
        object: (identifier) @settings
        attribute: (identifier) @secretkey)
      (_)*)
    (#eq? @hashid "Hashids")
    (#eq? @settings "settings")
    (#eq? @secretkey "SECRET_KEY")) @hashid-with-django-secret

  (call
    function: (identifier) @hashid
    arguments: (argument_list
      (_)*
      (keyword_argument
        name: (identifier) @salt
        value: (attribute
          object: (identifier) @settings
          attribute: (identifier) @secretkey))
      (_)*)
    (#eq? @hashid "Hashids")
    (#eq? @salt "salt")
    (#eq? @settings "settings")
    (#eq? @secretkey "SECRET_KEY")) @hashid-with-django-secret

description: |
  Django's secret key is used as salt in HashIDs, which are insecure. Attackers can recover the salt by analyzing enough HashIDs, exposing the secret key.