From 1f1791622457c8e76f68f7fb9a1f4ef36d01b8f8 Mon Sep 17 00:00:00 2001 From: Aaron Gokaslan Date: Sun, 16 Feb 2025 10:06:55 -0800 Subject: [PATCH] Add doc about usedforsecurity flag for S324 (#16190) ## Summary Provides documentation about the FIPS compliant flag for Python hashlib `usedforsecurity` Fixes #16188 ## Test Plan * pre-commit hooks --------- Co-authored-by: Brent Westbrook <36778786+ntBre@users.noreply.github.com> --- .../rules/hashlib_insecure_hash_functions.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs index 85283dc7eb..d2ad1dba85 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/hashlib_insecure_hash_functions.rs @@ -43,9 +43,22 @@ use super::super::helpers::string_literal; /// return hash == known_hash /// ``` /// +/// or add `usedforsecurity=False` if the hashing algorithm is not used in a security context, e.g. +/// as a non-cryptographic one-way compression function: +/// ```python +/// import hashlib +/// +/// +/// def certificate_is_valid(certificate: bytes, known_hash: str) -> bool: +/// hash = hashlib.md5(certificate, usedforsecurity=False).hexdigest() +/// return hash == known_hash +/// ``` +/// +/// /// ## References /// - [Python documentation: `hashlib` — Secure hashes and message digests](https://docs.python.org/3/library/hashlib.html) /// - [Python documentation: `crypt` — Function to check Unix passwords](https://docs.python.org/3/library/crypt.html) +/// - [Python documentation: `FIPS` - FIPS compliant hashlib implementation](https://docs.python.org/3/library/hashlib.html#hashlib.algorithms_guaranteed) /// - [Common Weakness Enumeration: CWE-327](https://cwe.mitre.org/data/definitions/327.html) /// - [Common Weakness Enumeration: CWE-328](https://cwe.mitre.org/data/definitions/328.html) /// - [Common Weakness Enumeration: CWE-916](https://cwe.mitre.org/data/definitions/916.html)