[flake8-bandit] Update insecure hash functions (S324) #16580
Conversation
|
AlexWaygood
changed the title
| | "ssl3-md5" | ||
| | "ssl3-sha1" | ||
| | "1.3.14.3.2.26" | ||
| | "1.2.840.113549.2.5" |
There was a problem hiding this comment.
I'd like to have a link to a reference documenting that these are references. I also think that they are so obscure (the number once), that I don't feel like we have to support them.
A reference is important because I otherwise find it impossible to know what these obscure numbers refer to and if they are indeed insecure.
Edit: I took a closer look at the issue. I think it's perfectly fine if Ruff only supports the guaranteed hash functions and that we, instead, should update the documentation to state so.
There was a problem hiding this comment.
Hey,
Thanks for the feedback. I tried to find a clear reference, but it's hard to find one which resume all the insicure hash-functions (or I'm not good in searching ;-)) . I agree that it makes sense for Ruff to only support reliably secure hash functions.
There was a problem hiding this comment.
Aren't we doing this the wrong way? We should be maintaining a whitelist instead of a blacklist of FIPS supported hashlib functions. Maybe with a way to specify additional safe ones through the pyproject.toml? As far I understand it, FIPS specification is a whitelist of supported functions, not a blacklist anyway.
This PR solves issue #16572
Could be an idea to define a HashSet containing the names of the insicure hash functions? In this way would be easier to update in case other insicure hash functions are added to the list.