search

3YOURMIND / django-migration-linter

:rocket: Detect backward incompatible migrations for your django project
https://pypi.python.org/pypi/django-migration-linter/
Apache License 2.0
529 stars 58 forks source link

Run in FIPS enabled environment with python3.10+ #292

Open markesha opened 3 weeks ago

markesha commented 3 weeks ago

Python 3.10 and later versions rely on OpenSSL 1.1.1 or newer, which includes FIPS-compliance checks.

MD5 is not an approved algorithm in FIPS mode, so attempting to instantiate hashlib.md5() in _get_migrationhash will fail when the system is running in FIPS mode.

Since MD5 is used in a non-security context, the usedforsecurity flag should be added.

    @staticmethod
    def get_migration_hash(app_label: str, migration_name: str) -> str:
        hash_md5 = hashlib.md5(usedforsecurity=False)
        with open(get_migration_abspath(app_label, migration_name), "rb") as f:
            for chunk in iter(lambda: f.read(4096), b""):
                hash_md5.update(chunk)
        return hash_md5.hexdigest()

The same issue in Django https://github.com/django/django/commit/d10c7bfe56f025ccc690721c9f13e7029b777b9c

Traceback (most recent call last):
12:57:05    File "/src/backend/manage.py", line 12, in <module>
12:57:05      execute_from_command_line(sys.argv)
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
12:57:05      utility.execute()
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 436, in execute
12:57:05      self.fetch_command(subcommand).run_from_argv(self.argv)
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django/core/management/base.py", line 412, in run_from_argv
12:57:05      self.execute(*args, **cmd_options)
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django/core/management/base.py", line 458, in execute
12:57:05      output = self.handle(*args, **options)
12:57:05               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django_migration_linter/management/commands/lintmigrations.py", line 180, in handle
12:57:05      linter.lint_all_migrations(
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django_migration_linter/migration_linter.py", line 151, in lint_all_migrations
12:57:05      self.lint_migration(m)
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django_migration_linter/migration_linter.py", line 162, in lint_migration
12:57:05      md5hash = self.get_migration_hash(app_label, migration_name)
12:57:05                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
12:57:05    File "/src/.venv/lib/python3.12/site-packages/django_migration_linter/migration_linter.py", line 234, in get_migration_hash
12:57:05      hash_md5 = hashlib.md5()
12:57:05                 ^^^^^^^^^^^^^
12:57:05  ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
David-Wobrock commented 3 weeks ago

Thanks @markesha for opening an issue.

That would make sense indeed to use something else than MD5. Feel free to suggest a PR :)

Else, I'll try to look into it, but I can't commit on any time frame :)

markesha commented 1 week ago

@David-Wobrock here you go https://github.com/3YOURMIND/django-migration-linter/pull/293