github-advanced-security[bot] commented on code in PR #35621:
URL: https://github.com/apache/superset/pull/35621#discussion_r2426737417
##########
superset/utils/hashing.py:
##########
@@ -14,23 +14,106 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
+from __future__ import annotations
+
import hashlib
-from typing import Any, Callable, Optional
+import logging
+from typing import Any, Callable, Literal, Optional
+
+from flask import current_app as app
from superset.utils import json
+logger = logging.getLogger(__name__)
-def md5_sha_from_str(val: str) -> str:
- return hashlib.md5(val.encode("utf-8")).hexdigest() # noqa: S324
+HashAlgorithm = Literal["md5", "sha256"]
-def md5_sha_from_dict(
+def get_hash_algorithm() -> HashAlgorithm:
+ """
+ Get the configured hash algorithm for non-cryptographic purposes.
+
+ Returns:
+ Hash algorithm name ('md5' or 'sha256')
+ """
+ return app.config["HASH_ALGORITHM"]
+
+
+def hash_from_str(val: str, algorithm: Optional[HashAlgorithm] = None) -> str:
+ """
+ Generate a hash from a string using the configured or specified algorithm.
+
+ Args:
+ val: String to hash
+ algorithm: Hash algorithm to use (defaults to configured algorithm)
+
+ Returns:
+ Hexadecimal hash digest string
+
+ Examples:
+ >>> hash_from_str("test") # Uses configured algorithm
+ '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'
+ >>> hash_from_str("test", algorithm="md5") # Force MD5
+ '098f6bcd4621d373cade4e832627b4f6'
+ """
+ if algorithm is None:
+ algorithm = get_hash_algorithm()
+
+ if algorithm == "sha256":
+ return hashlib.sha256(val.encode("utf-8")).hexdigest()
+ elif algorithm == "md5":
+ # MD5 is only acceptable for legacy compatibility
+ return hashlib.md5(val.encode("utf-8")).hexdigest() # noqa: S324
Review Comment:
## Use of a broken or weak cryptographic hashing algorithm on sensitive data
[Sensitive data (certificate)](1) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](2) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](3) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](4) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](5) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](6) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (certificate)](7) is used in a hashing algorithm (MD5) that
is insecure.
[Sensitive data (id)](8) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](9) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](10) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](11) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](12) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](13) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](14) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](15) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](16) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (id)](17) is used in a hashing algorithm (MD5) that is
insecure.
[Sensitive data (certificate)](18) is used in a hashing algorithm (MD5) that
is insecure.
[Show more
details](https://github.com/apache/superset/security/code-scanning/2063)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
