Re: [PR] Remove Python 3.8 from build pipelines and tox.ini, add Python 3.13 and various other fixes [libcloud]

Sun, 02 Mar 2025 05:31:49 -0800 


github-advanced-security[bot] commented on code in PR #2050:
URL: https://github.com/apache/libcloud/pull/2050#discussion_r1976629285


##########
libcloud/common/gandi.py:
##########
@@ -147,7 +152,8 @@
         same UUID!
         """
         hashstring = "{}:{}:{}".format(self.uuid_prefix, self.id, 
self.driver.type)
-        return hashlib.sha1(b(hashstring)).hexdigest()
+
+        return hashlib.sha1(b(hashstring)).hexdigest()  # nosec

Review Comment:
   ## Use of a broken or weak cryptographic hashing algorithm on sensitive data
   
   [Sensitive data (id)](1) is used in a hashing algorithm (SHA1) that is 
insecure.
   
   [Show more 
details](https://github.com/apache/libcloud/security/code-scanning/30)



##########
libcloud/common/nfsn.py:
##########
@@ -70,22 +73,25 @@
         salt = self._salt()
         api_key = self.key
         data = urlencode(data)
-        data_hash = hashlib.sha1(data.encode("utf-8")).hexdigest()
+        data_hash = hashlib.sha1(data.encode("utf-8")).hexdigest()  # nosec
 
         string = ";".join((login, timestamp, salt, api_key, action, data_hash))
-        string_hash = hashlib.sha1(string.encode("utf-8")).hexdigest()
+        string_hash = hashlib.sha1(string.encode("utf-8")).hexdigest()  # nosec

Review Comment:
   ## Use of a broken or weak cryptographic hashing algorithm on sensitive data
   
   [Sensitive data (id)](1) is used in a hashing algorithm (SHA1) that is 
insecure.
   
   [Show more 
details](https://github.com/apache/libcloud/security/code-scanning/31)



##########
libcloud/compute/drivers/cloudsigma.py:
##########
@@ -2196,21 +2287,23 @@
         # find image name and boot drive size
         image = None
         drive_size = 0
+
         for item in extra["drives"]:
             if item["boot_order"] == 1:
                 drive = self.ex_get_drive(item["drive"]["uuid"])
                 drive_size = drive.size
                 image = "{} {}".format(
                     drive.extra.get("distribution", ""), 
drive.extra.get("version", "")
                 )
+
                 break
         # try to find if node size is from example sizes given by CloudSigma
         try:
             kwargs = SPECS_TO_SIZE[(extra["cpus"], extra["memory"], 
drive_size)]
             size = CloudSigmaNodeSize(**kwargs, driver=self)
         except KeyError:
             id_to_hash = str(extra["cpus"]) + str(extra["memory"]) + 
str(drive_size)
-            size_id = hashlib.md5(id_to_hash.encode("utf-8")).hexdigest()
+            size_id = hashlib.md5(id_to_hash.encode("utf-8")).hexdigest()  # 
nosec

Review Comment:
   ## Use of a broken or weak cryptographic hashing algorithm on sensitive data
   
   [Sensitive data (password)](1) is used in a hashing algorithm (MD5) that is 
insecure for password hashing, since it is not a computationally expensive hash 
function.
   
   [Show more 
details](https://github.com/apache/libcloud/security/code-scanning/29)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@libcloud.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to