[BUG] implementation of hashlib in _utils.py fails in FIPS environment #2697
Comments
|
Thanks @caplinje-NOAA - FIPS is new to me, but I don't see any reason we can't switch to Feel like making a PR? For completeness here are all the places I see us using > ag --py hashlib
development/_jl_components_generation.py
9:import hashlib
419: hex=u.hex[:-12] + hashlib.md5(package_name.encode("utf-8")).hexdigest()[-12:]
_callback.py
2:import hashlib
530: function_name = hashlib.md5(clientside_function.encode("utf-8")).hexdigest()
long_callback/managers/__init__.py
3:import hashlib
76: return hashlib.sha1(str(hash_dict).encode("utf-8")).hexdigest()
105: return hashlib.sha1(
dash.py
15:import hashlib
1466: method = getattr(hashlib, hash_algorithm)
_utils.py
5:import hashlib
145: hashed_inputs = hashlib.md5(
218: return hashlib.md5(fp.read().encode("utf-8")).hexdigest() |
|
I would be happy to, I'll submit as soon as I work out a testing scheme that makes sense. Thanks. |
|
Any update here? I'm very interested in a fix as I've been bitten by this too. |
|
@alexcjohnson, @shieronymus-slingshot FIPS envrionments which properly implement python guardrails were difficult for me to implement in a testing environment and I did not want to submit a pull request without testing that my edits would have resolved this issue. I still believe switching to a different hashing algorithm will solve this problem (and searching git for hashlib/FIPS will tell the whole story). For now I am simply using python 3.8 which somehow avoids this issue, though that is clearly not a long term solution. |
|
@shieronymus-slingshot I successfully reproduced my error with a simple example dashboard, and was able to resolve the error with a messy monkey patch / method overload. This is not ideal but is a reasonable test that switching to different/better hashing algorithm solves this issue. In my case, the offending method was create_callback_id and was invoked by callback in the case allow_duplicate=True. If this is your situation, you could apply a similar patch as a short term solution. My example code is here: https://github.com/caplinje-NOAA/dash_md5_patch_testing Again this is a messy and not intended as a real solution, but shows this can be resolved with a small pull request. It would be great to know that this is the same situation you are in, so if you wanted to do a similar test in your environment, that maybe is helpful here. |
Describe your context
CentOS FIPS environment
Python 3.11.5
Describe the bug
When deployed using rstudio-connect, the app fails to initialize with the following error:
...dash/_utils.py", line 144, in _concat hashed_inputs = hashlib.md5( ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPSThe error can be replicated simply with python3 in a similar environment, as was done in this redhat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1744670
There is a fair amount of discussion about this issue in other projects (where reporters on average do a better job of describing the issue):
dask/dask#8608
Linuxfabrik/lib#30
PrefectHQ/prefect#7615
Where the suggested fix is to use a different hasher (e.g. blake3) or using the hashilb.md5 optional flag used_for_security=False (python>=3.9) if you're not hashing sensitive data. I for some reason did not see this error while in python 3.8. I believe this is a necessary fix to make dash compatible with FIPS environments.
The text was updated successfully, but these errors were encountered: