0bin icon indicating copy to clipboard operation
0bin copied to clipboard
verified publisher icon Tygs

insecureHash

Open modem7 opened this issue 3 years ago • 1 comments

Heya,

I just forked the project to do some work with Docker, and Snyk came back with the following in zerobin/paste.py:

[hashlib.sha1]() is insecure. Consider changing it to a secure hashing algorithm (e.g. SHA256).

        if not uuid:
            # generate the uuid from the decoded content by hashing it
            # and turning it into base64, with some characters strippped
>           uuid = hashlib.sha1(self.content.encode("utf8"))
            uuid = base64.b64encode(uuid.digest()).decode()
            uuid = uuid.rstrip("=\n").replace("/", "-")

Whether this is a concern or already known, I'm unsure, but thought I'd flag it regardless!

Please close if not a concern.

Cheers!

modem7 avatar Mar 10 '22 19:03 modem7

Thanks for noticing. The hash is not used for security, only to create the ID. The worse that can happen is somebody investing tremendous amount of power to create a collision est erase an existing paste.

I don't think it's a very urgent or likely concern. I'll let the issue open though, as it would be backward compatible to make it use sha256, so we can always do it in a future release.

ksamuel avatar Mar 14 '22 11:03 ksamuel