Check value of usedforsecurity for hashlib #798
Conversation
ericwb
requested review from
ghugo,
lukehinds and
sigmavirus24
as code owners
ericwb
force-pushed
the
usedforsecurity
branch
from
49d80d4
to
7b51d9d
Compare
| @@ -34,6 +34,10 @@ | |||
| CWE information added | |||
| """ | |||
| import sys | |||
|
|
|||
| import distutils | |||
There was a problem hiding this comment.
distutils is such a nightmare I would rather we implement strtobool ourselves instead of relying on it. I believe it is slated to be removed from the stdlib soon too so we will be broken once it does
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes #748 Signed-off-by: Eric Brown <browne@vmware.com>
ericwb
force-pushed
the
usedforsecurity
branch
from
7b51d9d
to
2ef632a
Compare
|
This PR may not be complete, as I notice that usedforsecurity can also be passed to convenience functions such as |
Maybe in a separate PR? |
In Python 3.9+ hashlib has a new argument named usedforsecurity
to indicate whether the hash is intended to be used for security
or not. The default value is True. So a user must explicit set
to False to state their non-security use.
As a result of this chnage in Python, the severity has been
moved up to HIGH if the usedforsecurity is True. But on earlier
versions of Python, the severity will remain at MEDIUM since
we don't know the intent of usage.
https://docs.python.org/3/library/hashlib.html#hashlib.new
Closes #748
Signed-off-by: Eric Brown browne@vmware.com