From: Mike Bayer Date: Tue, 12 Sep 2023 16:24:14 +0000 (-0400) Subject: qualify hashlib.md5() with usedforsecurity=False X-Git-Tag: rel_2_0_21~11^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=827e5121e210fc05f878a3f50ec6df9028fecdfa;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git qualify hashlib.md5() with usedforsecurity=False Qualified the use of ``hashlib.md5()`` within the DDL compiler, which is used to generate deterministic four-character suffixes for long index and constraint names in DDL statements, to include the Python 3.9+ ``usedforsecurity=False`` parameter so that Python interpreters built for restricted environments such as FIPS do not consider this call to be related to security concerns. Fixes: #10342 Change-Id: I3af0d3de3d140663c70921ab1ed4b66ad9512ec4 --- diff --git a/doc/build/changelog/unreleased_20/10342.rst b/doc/build/changelog/unreleased_20/10342.rst new file mode 100644 index 0000000000..800ea73929 --- /dev/null +++ b/doc/build/changelog/unreleased_20/10342.rst @@ -0,0 +1,10 @@ +.. change:: + :tags: bug, sql + :tickets: 10342 + + Qualified the use of ``hashlib.md5()`` within the DDL compiler, which is + used to generate deterministic four-character suffixes for long index and + constraint names in DDL statements, to include the Python 3.9+ + ``usedforsecurity=False`` parameter so that Python interpreters built for + restricted environments such as FIPS do not consider this call to be + related to security concerns. diff --git a/lib/sqlalchemy/util/compat.py b/lib/sqlalchemy/util/compat.py index da653b84d2..98a0b65ec9 100644 --- a/lib/sqlalchemy/util/compat.py +++ b/lib/sqlalchemy/util/compat.py @@ -12,6 +12,7 @@ from __future__ import annotations import base64 import dataclasses +import hashlib import inspect import operator import platform @@ -119,6 +120,18 @@ else: return gen.athrow(typ, value, traceback) +if py39: + # python stubs don't have a public type for this. not worth + # making a protocol + def md5_not_for_security() -> Any: + return hashlib.md5(usedforsecurity=False) + +else: + + def md5_not_for_security() -> Any: + return hashlib.md5() + + if typing.TYPE_CHECKING or py38: from importlib import metadata as importlib_metadata else: diff --git a/lib/sqlalchemy/util/langhelpers.py b/lib/sqlalchemy/util/langhelpers.py index 6c9afb5df6..e8c28d27c2 100644 --- a/lib/sqlalchemy/util/langhelpers.py +++ b/lib/sqlalchemy/util/langhelpers.py @@ -15,7 +15,6 @@ from __future__ import annotations import collections import enum from functools import update_wrapper -import hashlib import inspect import itertools import operator @@ -87,9 +86,9 @@ else: def md5_hex(x: Any) -> str: x = x.encode("utf-8") - m = hashlib.md5() + m = compat.md5_not_for_security() m.update(x) - return m.hexdigest() + return cast(str, m.hexdigest()) class safe_reraise: