Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166]) by code.netlandish.com (Postfix) with ESMTP id E1A8E80CD2 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 16:43:31 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.219.48; helo=mail-qv1-f48.google.com; envelope-from=matt@jellyfish.co; receiver= Authentication-Results: mail.netlandish.com; dkim=pass (1024-bit key; unprotected) header.d=jellyfish.co header.i=@jellyfish.co header.b=IvJN/zlL Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by mail.netlandish.com (Postfix) with ESMTP id 14CDF152E8A for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 16:43:29 +0000 (UTC) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-66d09b6d007so31992566d6.1 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Mon, 16 Oct 2023 09:43:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jellyfish.co; s=google; t=1697474608; x=1698079408; darn=lists.code.netlandish.com; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Qc6s25JDxTAsKsGumv17WKvU2ISEOaE5ldBDD5OFfyw=; b=IvJN/zlL6fAmJFh/H9EyojfFxNhuyFEfWe54YpGoP3/fCcQcOvpjBPH6XPFAxf4hT8 ruK8qFbOM/b4K1siOeSR3qLP8eP675KrqPNN6tAA1D0birPpNtGKiYzlyjvf/N5rfDB2 6CL+d8ABlfbttBeLBj5sVLpxBWuacrCJIKeng= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697474608; x=1698079408; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Qc6s25JDxTAsKsGumv17WKvU2ISEOaE5ldBDD5OFfyw=; b=GE4/r7hCH7zF0cOhvsODrvKsbcpTfBz19y3nDluqHj7U6Sz8JmYv68ZUposzILcS/X 9HQKcGJszByAsWEWAscLHtOeRB+2hMvTGinvDpBENcJNxeqF/O/jap0D3X0KjKTVKLh8 bwyzRsADTNX1yaQ/fmAnKhq6LHuzVar3sJlLhfxhZ8f2Aq1jwg2o/j3Pu43skDxuR3pg wGwECRDwUN9oaa0GXpEZqghJFUUcqJwn1Oc3lc/1fR6ToPet053i2u66t0jhOiR7iwuy u8XxQsrVUissy5/6Jun2Fm+ZTKmtoHtaAAwXiStWonbIRGnWVfJE+8dl45cy5/bxCU6G F0uQ== X-Gm-Message-State: AOJu0YxlekMc+yKSz6ZQWHdM2hwE01w2f8sQKL4w8tUPFEixL2x7fzNW vb6gh/5a4U5zWni94DW/4QhOqowIRZz2ruTj6hcsx+GvfTXKSsrwlIRqNA== X-Google-Smtp-Source: AGHT+IHnNts2xuBC09TNU/OqESgpw8c+bOheOm9LiV0Z3m3rUsGz2u4xARSCKrUiqqt1K0rpPJV4Bb0dTOGIyLPns1M= X-Received: by 2002:a05:6214:224e:b0:66d:2eb6:f3f6 with SMTP id c14-20020a056214224e00b0066d2eb6f3f6mr12104006qvc.32.1697474608679; Mon, 16 Oct 2023 09:43:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Klein Date: Mon, 16 Oct 2023 12:43:17 -0400 Message-ID: Subject: Re: [PATCH django-impersonate] Specify usedforsecurity=False in call to hashlib.sha1 as a security best practice To: ~petersanchez/public-inbox@lists.code.netlandish.com Content-Type: text/plain; charset="UTF-8" Our security audit tooling (bandit) flags that this call to hashlib.sha1 should be marked with usedforsecurity=False (docs), since it's being used in a non-security context (i.e., as a non-cryptographic ID-generating function). Doing so prevents this code from getting flagged in our toolchain, and it seems to be best practice, so I'd suggest integrating this into the main repo. Thanks, Matt Klein --- a/vendor/django-impersonate-1.9.1/impersonate/signals.py +++ b/vendor/django-impersonate-1.9.1/impersonate/signals.py @@ -22,7 +22,7 @@ ID_LENGTH = 12 def gen_unique_id(): return hashlib.sha1( - u'{0}:{1}'.format(get_random_string(ID_LENGTH), tz_now()).encode('utf-8') + u'{0}:{1}'.format(get_random_string(ID_LENGTH), tz_now()).encode('utf-8'), usedforsecurity=False ).hexdigest()