This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new a85d94e6cdc Add usedforsecurity for sha1 algorithm (#44081)
a85d94e6cdc is described below
commit a85d94e6cdcd09efe93c3acee0b4ce5c9508bc23
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat Nov 16 16:37:23 2024 +0000
Add usedforsecurity for sha1 algorithm (#44081)
SHA1 is cryptographically weak and some restricted environments
(FIPS compliant) are blocking weak algorithms. You can use them
(as of Python 3.9) in those environments by specifically stating
that the algorithm is not used for security.
---
airflow/models/dagcode.py | 7 ++++++-
airflow/models/taskinstance.py | 3 ++-
airflow/sensors/base.py | 7 +++++--
airflow/utils/file.py | 2 +-
4 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/airflow/models/dagcode.py b/airflow/models/dagcode.py
index c78457e6059..e4e364571a7 100644
--- a/airflow/models/dagcode.py
+++ b/airflow/models/dagcode.py
@@ -163,4 +163,9 @@ class DagCode(Base):
import hashlib
# Only 7 bytes because MySQL BigInteger can hold only 8 bytes (signed).
- return struct.unpack(">Q",
hashlib.sha1(full_filepath.encode("utf-8")).digest()[-8:])[0] >> 8
+ return (
+ struct.unpack(
+ ">Q", hashlib.sha1(full_filepath.encode("utf-8"),
usedforsecurity=False).digest()[-8:]
+ )[0]
+ >> 8
+ )
diff --git a/airflow/models/taskinstance.py b/airflow/models/taskinstance.py
index 7a2f451727a..7e1ea6a1cae 100644
--- a/airflow/models/taskinstance.py
+++ b/airflow/models/taskinstance.py
@@ -2456,7 +2456,8 @@ class TaskInstance(Base, LoggingMixin):
# deterministic per task instance
ti_hash = int(
hashlib.sha1(
-
f"{self.dag_id}#{self.task_id}#{self.logical_date}#{self.try_number}".encode()
+
f"{self.dag_id}#{self.task_id}#{self.logical_date}#{self.try_number}".encode(),
+ usedforsecurity=False,
).hexdigest(),
16,
)
diff --git a/airflow/sensors/base.py b/airflow/sensors/base.py
index 8efcc5da417..3e5a8565e50 100644
--- a/airflow/sensors/base.py
+++ b/airflow/sensors/base.py
@@ -365,7 +365,8 @@ class BaseSensorOperator(BaseOperator, SkipMixin):
# Calculate the jitter
run_hash = int(
hashlib.sha1(
-
f"{self.dag_id}#{self.task_id}#{started_at}#{estimated_poke_count}".encode()
+
f"{self.dag_id}#{self.task_id}#{started_at}#{estimated_poke_count}".encode(),
+ usedforsecurity=False,
).hexdigest(),
16,
)
@@ -384,7 +385,9 @@ class BaseSensorOperator(BaseOperator, SkipMixin):
min_backoff = max(int(self.poke_interval * (2 ** (poke_count - 2))), 1)
run_hash = int(
-
hashlib.sha1(f"{self.dag_id}#{self.task_id}#{started_at}#{poke_count}".encode()).hexdigest(),
+ hashlib.sha1(
+
f"{self.dag_id}#{self.task_id}#{started_at}#{poke_count}".encode(),
usedforsecurity=False
+ ).hexdigest(),
16,
)
modded_hash = min_backoff + run_hash % min_backoff
diff --git a/airflow/utils/file.py b/airflow/utils/file.py
index 962f97c8fcf..09b39e98ccf 100644
--- a/airflow/utils/file.py
+++ b/airflow/utils/file.py
@@ -356,7 +356,7 @@ def iter_airflow_imports(file_path: str) -> Generator[str,
None, None]:
def get_unique_dag_module_name(file_path: str) -> str:
"""Return a unique module name in the format unusual_prefix_{sha1 of
module's file path}_{original module name}."""
if isinstance(file_path, str):
- path_hash = hashlib.sha1(file_path.encode("utf-8")).hexdigest()
+ path_hash = hashlib.sha1(file_path.encode("utf-8"),
usedforsecurity=False).hexdigest()
org_mod_name = re2.sub(r"[.-]", "_", Path(file_path).stem)
return MODIFIED_DAG_MODULE_NAME.format(path_hash=path_hash,
module_name=org_mod_name)
raise ValueError("file_path should be a string to generate unique module
name")
