You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The linter log below lists the uses identified by the linter, but there are other instances as well. For example, get_auth_token_user_pass expects a SHA1 hash of the password:
For most cases, SHA-256 is a good compromise between speed and safety
Otherwise, add the inline comment # noqa: S324
Linter log
❯ ruff check --select S324 ─╯
lib/rucio/common/dumper/data_models.py:175:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
lib/rucio/common/utils.py:303:16: S324 Probable use of insecure hash functions in `hashlib`: `md5`
lib/rucio/core/did.py:98:20: S324 Probable use of insecure hash functions in `hashlib`: `md5`
lib/rucio/core/oidc.py:131:11: S324 Probable use of insecure hash functions in `hashlib`: `md5`
lib/rucio/daemons/auditor/hdfs.py:58:13: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
lib/rucio/daemons/auditor/srmdumps.py:249:9: S324 Probable use of insecure hash functions in `hashlib`: `sha1`
lib/rucio/daemons/c3po/c3po.py:220:48: S324 Probable use of insecure hash functions in `hashlib`: `md5`
lib/rucio/rse/protocols/protocol.py:114:16: S324 Probable use of insecure hash functions in `hashlib`: `md5`
Found 8 errors.
The oidc one which shows up is something to check though.
A hash function is used to simplify avoiding they key restrictions of either dogpile.cache or Memcached (we could have devised a function that removes or replaces unacceptable characters instead). The payload that is hashed cannot be affected by a user, whether directly or indirectly. Given that MD5 is less expensive for the CPU, I don’t see sufficient motivation to replace it.
Description
The following insecure hash functions are currently in use within Rucio:
sha1
md5
The linter log below lists the uses identified by the linter, but there are other instances as well. For example,
get_auth_token_user_pass
expects a SHA1 hash of the password:rucio/lib/rucio/api/authentication.py
Lines 124 to 147 in 834a7c0
To do
In each instance of
sha1
andmd5
usages:# noqa: S324
Linter log
Also other cases - e.g.
get_auth_token_user_pass
.See also
Steps to reproduce
N/A
Rucio Version
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered: