dateparser
dateparser copied to clipboard
scrapinghub
dateparser doesn't work in FIPS compliant environments
Many secure environments disable the hashlib.md5 function because it is insecure, the causes the line below to fail making dateparser unusable in these environments:
https://github.com/scrapinghub/dateparser/blob/02bd2e5dd4477b4f6db98c5e98149458eb3cc821/dateparser/conf.py#L52
This can easily be remedied by replacing that line with return hashlib.md5("".join(keys).encode("utf-8"), usedforsecurity=False).hexdigest() which appropriately bypasses the fips security check because dateparser is not using the md5 hash for security applications.
This is a great project, would appreciate it if this fix could be pushed so it becomes useable in FIPS-compliant environments!
Thanks for the ack. I'd be happy to PR this myself if you give me permissions to contribute!
If trevor-scale is unable to create the PR, I would be more than happy to do it. However, wouldn't this change be a breaking change since the setup.py requires python3.8 or later. This change would force users to 3.9.
That's a good point. It's a bit ugly, but we can do a check on sys.version.info and only set the usedforsecurity=False flag if the version is >=3.9
This should support >= 3.8
return hashlib.new("md5", "".join(keys).encode("utf-8"), usedforsecurity=True).hexdigest()
PR submitted here: https://github.com/scrapinghub/dateparser/pull/1267
@trevor-scale The code I pasted above was a test to make sure the command still failed within a FIPS enabled environment. For it to work properly in this setup, it would need to set usedforsecurity=False
@trevor-scale Looks like @Gallaecio doesn't mind the breaking change since 3.8 is end of support. I will leave it to you guys on how the PR should be adjusted.
Also, I am not a maintainer of this repo so I cannot approve or merge the PR.