Closed akurtz-penguin closed 10 months ago
mmerickel
commented
3 years ago This usage has no bw-compat concerns. I would accept a pr that changed it to something with a focus on speed and reduced collisions. It is not a security-related feature at all so sha256 would work but is likely less performant than some other options that would work here.
luhn
commented
3 years ago Why do we use a hash at all, rather than a full tuple, like we do for discriminators?
mmerickel
commented
3 years ago I don't know why we're using the hash historically. The requirements afaik (off the top of my head) are 1) serializable and 2) comparable for equality. It's used to find duplicate views.
gubenkoved
commented
1 year ago Additionally, since Python 3.9 it should be possible to supply usedforsecurity=False to hashlib hash function constructors to switch to built-in implementation that will be available in FIPS environment as well (see https://docs.python.org/3/library/hashlib.html). This way at least the users of newer Python versions will be able to benefit from it.
Feature Request
pyramid.config.predicates uses hashlib.md5
While this MD5 usage isn't security related, MD5 usage is deprecated. It triggers security warnings for scanners, and isn't available in FIPS environment.
Describe the solution you'd like Use a different algorithm, such as SHA256 or SHA512.
Describe alternatives you've considered 1) Make the algorithm configurable
Additional context https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5