Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166])
	by code.netlandish.com (Postfix) with ESMTP id E1A8E80CD2
	for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 16:43:31 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.219.48; helo=mail-qv1-f48.google.com; envelope-from=matt@jellyfish.co; receiver=<UNKNOWN> 
Authentication-Results: mail.netlandish.com;
	dkim=pass (1024-bit key; unprotected) header.d=jellyfish.co header.i=@jellyfish.co header.b=IvJN/zlL
Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48])
	by mail.netlandish.com (Postfix) with ESMTP id 14CDF152E8A
	for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 16:43:29 +0000 (UTC)
Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-66d09b6d007so31992566d6.1
        for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 09:43:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=jellyfish.co; s=google; t=1697474608; x=1698079408; darn=lists.code.netlandish.com;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Qc6s25JDxTAsKsGumv17WKvU2ISEOaE5ldBDD5OFfyw=;
        b=IvJN/zlL6fAmJFh/H9EyojfFxNhuyFEfWe54YpGoP3/fCcQcOvpjBPH6XPFAxf4hT8
         ruK8qFbOM/b4K1siOeSR3qLP8eP675KrqPNN6tAA1D0birPpNtGKiYzlyjvf/N5rfDB2
         6CL+d8ABlfbttBeLBj5sVLpxBWuacrCJIKeng=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697474608; x=1698079408;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Qc6s25JDxTAsKsGumv17WKvU2ISEOaE5ldBDD5OFfyw=;
        b=GE4/r7hCH7zF0cOhvsODrvKsbcpTfBz19y3nDluqHj7U6Sz8JmYv68ZUposzILcS/X
         9HQKcGJszByAsWEWAscLHtOeRB+2hMvTGinvDpBENcJNxeqF/O/jap0D3X0KjKTVKLh8
         bwyzRsADTNX1yaQ/fmAnKhq6LHuzVar3sJlLhfxhZ8f2Aq1jwg2o/j3Pu43skDxuR3pg
         wGwECRDwUN9oaa0GXpEZqghJFUUcqJwn1Oc3lc/1fR6ToPet053i2u66t0jhOiR7iwuy
         u8XxQsrVUissy5/6Jun2Fm+ZTKmtoHtaAAwXiStWonbIRGnWVfJE+8dl45cy5/bxCU6G
         F0uQ==
X-Gm-Message-State: AOJu0YxlekMc+yKSz6ZQWHdM2hwE01w2f8sQKL4w8tUPFEixL2x7fzNW
	vb6gh/5a4U5zWni94DW/4QhOqowIRZz2ruTj6hcsx+GvfTXKSsrwlIRqNA==
X-Google-Smtp-Source: AGHT+IHnNts2xuBC09TNU/OqESgpw8c+bOheOm9LiV0Z3m3rUsGz2u4xARSCKrUiqqt1K0rpPJV4Bb0dTOGIyLPns1M=
X-Received: by 2002:a05:6214:224e:b0:66d:2eb6:f3f6 with SMTP id
 c14-20020a056214224e00b0066d2eb6f3f6mr12104006qvc.32.1697474608679; Mon, 16
 Oct 2023 09:43:28 -0700 (PDT)
MIME-Version: 1.0
References: <CADiSC1kuOSS=Kv2c4G3Zg+aeHcbCQ4C9CHSjfK1OGQLkMg-cqA@mail.gmail.com>
In-Reply-To: <CADiSC1kuOSS=Kv2c4G3Zg+aeHcbCQ4C9CHSjfK1OGQLkMg-cqA@mail.gmail.com>
From: Matt Klein <matt@jellyfish.co>
Date: Mon, 16 Oct 2023 12:43:17 -0400
Message-ID: <CADiSC1m=fMdCZOGeKrtWBi=MH0muckNkMh42DESJDtcewXACtw@mail.gmail.com>
Subject: Re: [PATCH django-impersonate] Specify usedforsecurity=False in call
 to hashlib.sha1 as a security best practice
To: ~petersanchez/public-inbox@lists.code.netlandish.com
Content-Type: text/plain; charset="UTF-8"

Our security audit tooling (bandit) flags that this call to
hashlib.sha1 should be marked with usedforsecurity=False (docs), since
it's being used in a non-security context (i.e., as a
non-cryptographic ID-generating function).

Doing so prevents this code from getting flagged in our toolchain, and
it seems to be best practice, so I'd suggest integrating this into the
main repo.

Thanks,
Matt Klein

--- a/vendor/django-impersonate-1.9.1/impersonate/signals.py
+++ b/vendor/django-impersonate-1.9.1/impersonate/signals.py
@@ -22,7 +22,7 @@ ID_LENGTH = 12
 def gen_unique_id():
     return hashlib.sha1(
-        u'{0}:{1}'.format(get_random_string(ID_LENGTH),
tz_now()).encode('utf-8')
+        u'{0}:{1}'.format(get_random_string(ID_LENGTH),
tz_now()).encode('utf-8'), usedforsecurity=False
     ).hexdigest()