search

Tygs / 0bin

Client side encrypted pastebin
https://0bin.net
Do What The F*ck You Want To Public License
1.37k stars 198 forks source link

insecureHash #147

Closed modem7 closed 11 months ago

modem7 commented 2 years ago

Heya,

I just forked the project to do some work with Docker, and Snyk came back with the following in zerobin/paste.py:

[hashlib.sha1]() is insecure. Consider changing it to a secure hashing algorithm (e.g. SHA256).

        if not uuid:
            # generate the uuid from the decoded content by hashing it
            # and turning it into base64, with some characters strippped
>           uuid = hashlib.sha1(self.content.encode("utf8"))
            uuid = base64.b64encode(uuid.digest()).decode()
            uuid = uuid.rstrip("=\n").replace("/", "-")

Whether this is a concern or already known, I'm unsure, but thought I'd flag it regardless!

Please close if not a concern.

Cheers!

ksamuel commented 2 years ago

Thanks for noticing. The hash is not used for security, only to create the ID. The worse that can happen is somebody investing tremendous amount of power to create a collision est erase an existing paste.

I don't think it's a very urgent or likely concern. I'll let the issue open though, as it would be backward compatible to make it use sha256, so we can always do it in a future release.