Merge pull request SmileyChris#646 from buugaj/achieve_fips_compliance

Ensure FIPS compliance by marking MD5 and SHA-1 as non-security-related
ArcaniteSolutions · Nov 9, 2024 · ecec162 · ecec162
2 parents d4e8d0c + 79b7bd3
commit ecec162
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/easy_thumbnails/namers.py b/easy_thumbnails/namers.py
@@ -1,7 +1,8 @@
 import base64
-import hashlib
 import os
 
+from easy_thumbnails.utils import sha1_not_used_for_security
+
 
 def default(thumbnailer, prepared_options, source_filename,
             thumbnail_extension, **kwargs):
@@ -38,7 +39,7 @@ def hashed(source_filename, prepared_options, thumbnail_extension, **kwargs):
     for example: ``6qW1buHgLaZ9.jpg``.
     """
     parts = ':'.join([source_filename] + prepared_options)
-    short_sha = hashlib.sha1(parts.encode('utf-8')).digest()
+    short_sha = sha1_not_used_for_security(parts.encode('utf-8')).digest()
     short_hash = base64.urlsafe_b64encode(short_sha[:9]).decode('utf-8')
     return '.'.join([short_hash, thumbnail_extension])
 
@@ -54,10 +55,10 @@ def source_hashed(source_filename, prepared_options, thumbnail_extension,
     base64 sha1 hash of the thumbnail options. For example:
     ``1xedFtqllFo9_100x100_QHCa6G1l.jpg``.
     """
-    source_sha = hashlib.sha1(source_filename.encode('utf-8')).digest()
+    source_sha = sha1_not_used_for_security(source_filename.encode('utf-8')).digest()
     source_hash = base64.urlsafe_b64encode(source_sha[:9]).decode('utf-8')
     parts = ':'.join(prepared_options[1:])
-    parts_sha = hashlib.sha1(parts.encode('utf-8')).digest()
+    parts_sha = sha1_not_used_for_security(parts.encode('utf-8')).digest()
     options_hash = base64.urlsafe_b64encode(parts_sha[:6]).decode('utf-8')
     return '%s_%s_%s.%s' % (
         source_hash, prepared_options[0], options_hash, thumbnail_extension)
diff --git a/easy_thumbnails/utils.py b/easy_thumbnails/utils.py
@@ -65,7 +65,7 @@ def get_storage_hash(storage):
     if not isinstance(storage, str):
         storage_cls = storage.__class__
         storage = '%s.%s' % (storage_cls.__module__, storage_cls.__name__)
-    return hashlib.md5(storage.encode('utf8')).hexdigest()
+    return md5_not_used_for_security(storage.encode('utf8')).hexdigest()
 
 
 def is_transparent(image):
@@ -145,3 +145,19 @@ def get_modified_time(storage, name):
             default_timezone = timezone.get_default_timezone()
             return timezone.make_aware(modified_time, default_timezone)
     return modified_time
+
+def md5_not_used_for_security(data):
+    """
+    Calculate a md5 hash of the given data, but explicitly mark it as not
+    being used for security purposes. Without this flag FIPS compliant
+    systems will raise an exception when used.
+    """
+    return hashlib.new('md5', data, usedforsecurity=False)
+
+def sha1_not_used_for_security(data):
+    """
+    Calculate a sha1 hash of the given data, but explicitly mark it as not
+    being used for security purposes. Without the flag FIPS compliant
+    systems will raise an exception when used.
+    """
+    return hashlib.new('sha1', data, usedforsecurity=False)