-
-
Notifications
You must be signed in to change notification settings - Fork 699
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of md5 hash causes FIPS error, requires usedforsecurity=False #2270
Comments
There's one problem here: it looks like I'm happy to add it with a Python version check or similar, but would the FIPS scanning system identify something like the following? import hashlib
import sys
def non_security_md5(text):
try:
return hashlib.md5(text.encode("utf8"), usedforsecurity=False).hexdigest()
except TypeError:
# usedforsecurity is not supported
return hashlib.md5(text.encode("utf8")).hexdigest() If that still trips the security filter I'm not sure what to do here - I want to be able to support Python 3.8. |
Since this is purely a cosmetic thing and we're pre-Datasette-1.0 I'd be OK swapping MD5 for SHA256 here to please the filter. |
Code in question: datasette/datasette/database.py Lines 73 to 77 in 5d79974
datasette/datasette/utils/__init__.py Lines 705 to 725 in 5d79974
The CSS bit is actually a bigger problem, because changing that will change the CSS class name (and the name used for custom templates) for existing Datasette instances - which could result in customized templates or CSS breaking in ways that people might not easily notice. |
Here's the origin of that |
Oh wait... is the issue here that in a FIPS enabled system simply calling If so, the fix could well be to use I had originally assumed that this was about a FIPS scanner that statically analyzes Python code looking for insecure uses of |
@simonw exactly, calling Not sure if you can do anything about the pint issue, but just as a heads-up that also exhibits a similar runtime error in their use of |
OK, I figured out how to replicate this problem using Docker. I'm using this image: https://hub.docker.com/r/cyberark/ubuntu-ruby-fips The hardest part was finding an actively maintained FIPS Docker image! I eventually found it via this search for most recently updated images on Docker Hub matching "fips": https://hub.docker.com/search?q=fips&sort=updated_at&order=desc So I can start the container with: docker run -it --rm cyberark/ubuntu-ruby-fips /bin/bash Then I can install stuff I need with: apt-gen update && apt-get install -y python3 git python3.10-venv Then: cd /tmp
git clone https://github.com/simonw/datasette
cd datasette
python3 -m venv venv
source venv/bin/activate
pip install -e '.[test]'
pytest -n auto This fails a bunch of tests thanks to the FIPS issue - errors like this:
|
Applying this patch causes the test suite to pass in that FIPS Docker container: diff --git a/datasette/database.py b/datasette/database.py
index becb552c..94225c47 100644
--- a/datasette/database.py
+++ b/datasette/database.py
@@ -74,7 +74,7 @@ class Database:
def color(self):
if self.hash:
return self.hash[:6]
- return hashlib.md5(self.name.encode("utf8")).hexdigest()[:6]
+ return hashlib.md5(self.name.encode("utf8"), usedforsecurity=False).hexdigest()[:6]
def suggest_name(self):
if self.path:
diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index f2cd7eb0..d8d187ea 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -713,7 +713,7 @@ def to_css_class(s):
"""
if css_class_re.match(s):
return s
- md5_suffix = hashlib.md5(s.encode("utf8")).hexdigest()[:6]
+ md5_suffix = hashlib.md5(s.encode("utf8"), usedforsecurity=False).hexdigest()[:6]
# Strip leading _, -
s = s.lstrip("_").lstrip("-")
# Replace any whitespace with hyphens |
@darugar do you think it's worth releasing a 0.64 with this fix, or can I leave it for a Datasette 1.0 alpha and then Datasette 1.0? |
How are you patching that? I'm considering moving Pint out of Datasette core and trying to get it to work as a plugin instead before 1.0 - this may be just the push I need to make that decision. |
@simonw yes we're patching Pint. Since we need to patch that anyway doing the patch for datasette is not much more effort, but of course it'd be nicer if datasette didn't need a patch :-) Completely up to you depending on timing for 1.0 alpha. Ideal scenario for us would be a datasette release with Pint as a plugin (we don't use it) and the md5 issue fixed in the release, but not a huge deal. |
Wrote this up as a TIL: https://til.simonwillison.net/python/md5-fips |
I filed an issue with Pint here: |
And a PR against Pint too, which was easy because they've already dropped support for Python 3.8: |
Use of the md5 hashing algorithm is not permitted in FIPS systems, exhibiting the error:
This can be fixed via
hashlib.md5(usedforsecurity=False)
:in database.py:
in init.py:
I can do a PR if that's easier - I've tested these updates locally and in FIPS environments and they work, but pytest does not pass tests (master is also failing the pytests in the same way).
Note that a similar issue exists in the
pint
library wherehashlib.blake2b
is used - in order to allow datasette to run in FIPS this needs to be modified to, for example,hashlib.sha512
.The text was updated successfully, but these errors were encountered: