pyramid icon indicating copy to clipboard operation
pyramid copied to clipboard

Published 20 hours ago verified publisher icon Pylons

Replace MD5 usage for predicates, DEFAULT_PHASH

Open akurtz-penguin opened this issue 3 years ago • 3 comments

Feature Request

pyramid.config.predicates uses hashlib.md5

While this MD5 usage isn't security related, MD5 usage is deprecated. It triggers security warnings for scanners, and isn't available in FIPS environment.

Describe the solution you'd like Use a different algorithm, such as SHA256 or SHA512.

Describe alternatives you've considered

  1. Make the algorithm configurable

Additional context https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5

akurtz-penguin avatar Apr 26 '21 20:04 akurtz-penguin

This usage has no bw-compat concerns. I would accept a pr that changed it to something with a focus on speed and reduced collisions. It is not a security-related feature at all so sha256 would work but is likely less performant than some other options that would work here.

mmerickel avatar Apr 26 '21 20:04 mmerickel

Why do we use a hash at all, rather than a full tuple, like we do for discriminators?

luhn avatar Apr 26 '21 22:04 luhn

I don't know why we're using the hash historically. The requirements afaik (off the top of my head) are 1) serializable and 2) comparable for equality. It's used to find duplicate views.

mmerickel avatar Apr 26 '21 22:04 mmerickel

Additionally, since Python 3.9 it should be possible to supply usedforsecurity=False to hashlib hash function constructors to switch to built-in implementation that will be available in FIPS environment as well (see https://docs.python.org/3/library/hashlib.html). This way at least the users of newer Python versions will be able to benefit from it.

gubenkoved avatar Apr 25 '23 12:04 gubenkoved