"Resolve" bandit issue with sha1 hashes
We only use them as a consistent hash, not for anything security related. Even if someone could manage a hash collision or something, the worst that could happen is their own LB stops working... So, just tell bandit to ignore them. Added a docstring to one function to attempt to be extra clear. Change-Id: Ic337c32020e12183e2246b844ded07a83c6d3ad8
This commit is contained in:
parent
790f29e006
commit
91fae05a7d
octavia/common
@ -361,7 +361,10 @@ def load_certificates_data(cert_mngr, listener, context=None):
|
||||
|
||||
def _map_cert_tls_container(cert):
|
||||
return data_models.TLSContainer(
|
||||
id=hashlib.sha1(cert.get_certificate()).hexdigest(),
|
||||
# TODO(rm_work): applying nosec here because this is not intended to be
|
||||
# secure, it's just a way to get a consistent ID. Changing this would
|
||||
# break backwards compatibility with existing loadbalancers.
|
||||
id=hashlib.sha1(cert.get_certificate()).hexdigest(), # nosec
|
||||
primary_cn=get_primary_cn(cert),
|
||||
private_key=prepare_private_key(
|
||||
cert.get_private_key(),
|
||||
|
@ -38,7 +38,11 @@ def get_hostname():
|
||||
|
||||
|
||||
def base64_sha1_string(string_to_hash):
|
||||
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest()
|
||||
"""Get a b64-encoded sha1 hash of a string. Not intended to be secure!"""
|
||||
# TODO(rm_work): applying nosec here because this is not intended to be
|
||||
# secure, it's just a way to get a consistent ID. Changing this would
|
||||
# break backwards compatibility with existing loadbalancers.
|
||||
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest() # nosec
|
||||
b64_str = base64.b64encode(hash_str, str.encode('_-', 'ascii'))
|
||||
return b64_str.decode('UTF-8')
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user