Our security audit tooling (bandit) flags that this call to
hashlib.sha1 should be marked with usedforsecurity=False (docs), since
it's being used in a non-security context (i.e., as a
non-cryptographic ID-generating function).
Doing so prevents this code from getting flagged in our toolchain, and
it seems to be best practice, so I'd suggest integrating this into the
main repo.
Thanks,
Matt Klein
--- a/vendor/django-impersonate-1.9.1/impersonate/signals.py
+++ b/vendor/django-impersonate-1.9.1/impersonate/signals.py
@@ -22,7 +22,7 @@ ID_LENGTH = 12
def gen_unique_id():
return hashlib.sha1(
- u'{0}:{1}'.format(get_random_string(ID_LENGTH),
tz_now()).encode('utf-8')
+ u'{0}:{1}'.format(get_random_string(ID_LENGTH),
tz_now()).encode('utf-8'), usedforsecurity=False
).hexdigest()
>Doing so prevents this code from getting flagged in our toolchain, and
>it seems to be best practice, so I'd suggest integrating this into the
>main repo.
Matt, thanks for the patch! The issue here is that the `usedforsecurty`
keyword variable was added in Python 3.9 and current supported versions
of Django are 3.2, 4.1 and 4.2.
Unfortunately 3.2 supports Python 3.6 still (though support for 3.2 goes
away in April next year) and 4.2 has support for 3.8 and is supported
until April 2026.
So I think the patch needs a Python version check and if it's 3.9+, add
the flag.