Lower the severity of insecure hash functions (B303) for hashlib if usedforsecurity=False #748
Labels
enhancement
New feature or request
Comments
ericwb
added a commit
that referenced
this issue
Feb 6, 2022
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes #748 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
that referenced
this issue
Feb 6, 2022
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes #748 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
that referenced
this issue
Feb 6, 2022
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes #748 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
that referenced
this issue
Feb 7, 2022
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes #748 Signed-off-by: Eric Brown <[email protected]>
LarsMichelsen
pushed a commit
to Checkmk/checkmk
that referenced
this issue
Mar 7, 2022
This updated bandit to 1.7.4. In 1.7.3 check [B303], hash functions, was updated and [B415], IMPI protocol, was added. Hash Function ============= A lower threshold for insecure hash functions was introduced. All offending code places have been updated with `usedforsecurity=False` to make bandit happy. This might have not been ideal in all cases. I'm currently not sure how a change in hashing algorithm would affect back wards compatibility. IMPI Protocol ============== The IMPI protocol is considered insecure. We use it exentsivly in core parts of the code. For now ignore this check. [B303] PyCQA/bandit#748 [B415] PyCQA/bandit#803 Change-Id: Iee36820d152955bbd31e6b21fdd6bbc5b83dbb1c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hashlib supports setting the usedforsecurity=False when hashing or creating a hash function:
I suggest bandit could lower the severity, if usedforsecurity=False is present, since this is quite explicit.
But I would advise against ignoring such cases completely, since it says in the docs ( https://docs.python.org/3/library/hashlib.html#hash-algorithms ), that setting it to False enables the use of insecure algorithms in restricted environments, and someone may decide to use this flag as a workaround to use insecure hash functions.
The text was updated successfully, but these errors were encountered: