From 99c2b5b4e56842959e72cdd1f8614f7ed58a5103 Mon Sep 17 00:00:00 2001 From: Flo-Weikert <93138958+Flo-Weikert@users.noreply.github.com> Date: Mon, 28 Oct 2024 15:07:03 +0100 Subject: [PATCH] Mpt 4059 vulnerability fixes (#10) (cherry picked from commit 4bcb664975814967d67080ec217c73bd5523e2e8) --- auth/auth_server/controllers/token.py | 2 +- .../tests/unittests/test_api_digest_token_meta.py | 8 ++++---- diworker/diworker/importers/gcp.py | 2 +- gemini/gemini_worker/migrator.py | 2 +- keeper/report_server/controllers/event.py | 2 +- keeper/report_server/controllers/event_base.py | 2 +- metroculus/metroculus_worker/migrator.py | 2 +- rest_api/rest_api_server/controllers/base.py | 2 +- .../rest_api_server/controllers/environment_resource.py | 2 +- rest_api/rest_api_server/handlers/v1/base.py | 3 +-- risp/risp_worker/migrator.py | 2 +- slacker/slacker_server/controllers/base.py | 2 +- slacker/slacker_server/handlers/v2/base.py | 2 +- tools/cloud_adapter/clouds/gcp.py | 2 +- 14 files changed, 17 insertions(+), 18 deletions(-) diff --git a/auth/auth_server/controllers/token.py b/auth/auth_server/controllers/token.py index ed5130f8b..d48471b0d 100644 --- a/auth/auth_server/controllers/token.py +++ b/auth/auth_server/controllers/token.py @@ -109,7 +109,7 @@ def create_user_token(self, user, **kwargs): 'created_at': now, 'valid_until': now + datetime.timedelta(hours=self.expiration), 'ip': kwargs.get('ip'), - 'digest': hashlib.md5(macaroon_token.encode('utf-8')).hexdigest() + 'digest': hashlib.md5(macaroon_token.encode('utf-8'), usedforsecurity=False).hexdigest() } token = model_type(**params) self.session.add(token) diff --git a/auth/auth_server/tests/unittests/test_api_digest_token_meta.py b/auth/auth_server/tests/unittests/test_api_digest_token_meta.py index cb6d07daf..5dc66107e 100644 --- a/auth/auth_server/tests/unittests/test_api_digest_token_meta.py +++ b/auth/auth_server/tests/unittests/test_api_digest_token_meta.py @@ -41,7 +41,7 @@ def test_digest_get_token_metadata1(self): token_response = self.get_token_response(self.user_partner.email, self.user_partner_password) token = token_response['token'] - digest = hashlib.md5(token.encode('utf-8')).hexdigest() + digest = hashlib.md5(token.encode('utf-8'), usedforsecurity=False).hexdigest() code, token_meta = self.client.token_meta_get([digest]) self.assertEqual(code, 200) self.assertEqual(len(token_meta), 1) @@ -62,8 +62,8 @@ def test_digest_get_token_metadata_bulk(self): self.user_partner_password) token1 = token_response1['token'] token2 = token_response2['token'] - digest1 = hashlib.md5(token1.encode('utf-8')).hexdigest() - digest2 = hashlib.md5(token2.encode('utf-8')).hexdigest() + digest1 = hashlib.md5(token1.encode('utf-8'), usedforsecurity=False).hexdigest() + digest2 = hashlib.md5(token2.encode('utf-8'), usedforsecurity=False).hexdigest() code, token_meta = self.client.token_meta_get([digest1, digest2]) self.assertEqual(code, 200) self.assertEqual(len(token_meta), 2) @@ -89,7 +89,7 @@ def test_digest_get_token_metadata_bulk(self): def test_digest_get_with_unexpected(self): token = self.get_token(self.user_partner.email, self.user_partner_password) - digest = hashlib.md5(token.encode('utf-8')).hexdigest() + digest = hashlib.md5(token.encode('utf-8'), usedforsecurity=False).hexdigest() payload_dict = { 'digests': [digest] } diff --git a/diworker/diworker/importers/gcp.py b/diworker/diworker/importers/gcp.py index 4898ddddf..6d1f0ce9d 100644 --- a/diworker/diworker/importers/gcp.py +++ b/diworker/diworker/importers/gcp.py @@ -69,7 +69,7 @@ def _get_resource_region(self, region_data): @staticmethod def _generate_tags_hash(tags: dict[str: str]) -> str: - return hashlib.sha1(repr(sorted(tags.items())).encode()).hexdigest() + return hashlib.sha1(repr(sorted(tags.items())).encode(), usedforsecurity=False).hexdigest() @staticmethod def _generate_resource_id(row_dict): diff --git a/gemini/gemini_worker/migrator.py b/gemini/gemini_worker/migrator.py index 20f6e7efc..49ca9e46d 100644 --- a/gemini/gemini_worker/migrator.py +++ b/gemini/gemini_worker/migrator.py @@ -106,7 +106,7 @@ def _get_script_from_name(filename): @staticmethod def _get_md5(filename): return hashlib.md5( - open(f"{MIGRATIONS_FOLDER}/{filename}.py", "rb").read() + open(f"{MIGRATIONS_FOLDER}/{filename}.py", "rb").read(), usedforsecurity=False ).hexdigest() def update_versions_table(self, filename): diff --git a/keeper/report_server/controllers/event.py b/keeper/report_server/controllers/event.py index ba9db3b61..496fc4116 100644 --- a/keeper/report_server/controllers/event.py +++ b/keeper/report_server/controllers/event.py @@ -154,7 +154,7 @@ def ack(self, id, **kwargs): poll_orgs = self.get_ack_resources(token) if event.organization_id not in poll_orgs: raise ForbiddenException(Err.OK0002, []) - digest = hashlib.md5(token.encode("utf-8")).hexdigest() + digest = hashlib.md5(token.encode("utf-8"), usedforsecurity=False).hexdigest() user_meta = self.get_meta_by_token(token) event.acknowledged_by = digest event.acknowledged_user = "%s (%s)" % ( diff --git a/keeper/report_server/controllers/event_base.py b/keeper/report_server/controllers/event_base.py index 4adf87754..dc1885e3d 100644 --- a/keeper/report_server/controllers/event_base.py +++ b/keeper/report_server/controllers/event_base.py @@ -84,7 +84,7 @@ def get_reads(self, user_id): def get_meta_by_token(self, token): user_digest = list( - map(lambda x: hashlib.md5(x.encode("utf-8")).hexdigest(), [token]) + map(lambda x: hashlib.md5(x.encode("utf-8"), usedforsecurity=False).hexdigest(), [token]) )[0] token_meta = self.get_token_meta([user_digest]).get(user_digest, {}) return token_meta diff --git a/metroculus/metroculus_worker/migrator.py b/metroculus/metroculus_worker/migrator.py index 45c39fc7c..d4b823a0e 100644 --- a/metroculus/metroculus_worker/migrator.py +++ b/metroculus/metroculus_worker/migrator.py @@ -93,7 +93,7 @@ def _get_script_from_name(filename): @staticmethod def _get_md5(filename): return hashlib.md5(open( - f"{MIGRATIONS_FOLDER}/{filename}.py", 'rb').read()).hexdigest() + f"{MIGRATIONS_FOLDER}/{filename}.py", 'rb').read(), usedforsecurity=False).hexdigest() def update_versions_table(self, filename): version = [{ diff --git a/rest_api/rest_api_server/controllers/base.py b/rest_api/rest_api_server/controllers/base.py index c76a75f5e..30660ebfa 100644 --- a/rest_api/rest_api_server/controllers/base.py +++ b/rest_api/rest_api_server/controllers/base.py @@ -397,7 +397,7 @@ def auth_client(self): return self._auth_client def get_user_id(self): - user_digest = hashlib.md5(self.token.encode('utf-8')).hexdigest() + user_digest = hashlib.md5(self.token.encode('utf-8'), usedforsecurity=False).hexdigest() _, token_meta = self.auth_client.token_meta_get([user_digest]) return token_meta.get(user_digest, {}).get('user_id') diff --git a/rest_api/rest_api_server/controllers/environment_resource.py b/rest_api/rest_api_server/controllers/environment_resource.py index af2a8ead0..363cd34ec 100644 --- a/rest_api/rest_api_server/controllers/environment_resource.py +++ b/rest_api/rest_api_server/controllers/environment_resource.py @@ -171,7 +171,7 @@ def gen_cloud_resource_ids(resources): def get_cloud_resource_id(r): tail = "%s%s" % (r.get('name'), r.get('resource_type')) return 'environment_%s' % hashlib.md5( - tail.encode('utf-8')).hexdigest() + tail.encode('utf-8'), usedforsecurity=False).hexdigest() for resource in resources: if resource.get('cloud_resource_id'): diff --git a/rest_api/rest_api_server/handlers/v1/base.py b/rest_api/rest_api_server/handlers/v1/base.py index 8225e6ea6..b75fdefcc 100644 --- a/rest_api/rest_api_server/handlers/v1/base.py +++ b/rest_api/rest_api_server/handlers/v1/base.py @@ -295,9 +295,8 @@ def get_token_meta(self, digests): return token_meta_dict def get_meta_by_token(self, token): - print(2) user_digest = list(map( - lambda x: hashlib.md5(x.encode('utf-8')).hexdigest(), [token]))[0] + lambda x: hashlib.md5(x.encode('utf-8'), usedforsecurity=False).hexdigest(), [token]))[0] token_meta = self.get_token_meta([user_digest]).get(user_digest, {}) return token_meta diff --git a/risp/risp_worker/migrator.py b/risp/risp_worker/migrator.py index 16eba53f1..5f4aed3f3 100644 --- a/risp/risp_worker/migrator.py +++ b/risp/risp_worker/migrator.py @@ -101,7 +101,7 @@ def _get_script_from_name(filename): @staticmethod def _get_md5(filename): return hashlib.md5(open( - f"{MIGRATIONS_FOLDER}/{filename}.py", 'rb').read()).hexdigest() + f"{MIGRATIONS_FOLDER}/{filename}.py", 'rb').read(), usedforsecurity=False).hexdigest() def update_versions_table(self, filename): version = [{ diff --git a/slacker/slacker_server/controllers/base.py b/slacker/slacker_server/controllers/base.py index 1a1bec326..69360ec59 100644 --- a/slacker/slacker_server/controllers/base.py +++ b/slacker/slacker_server/controllers/base.py @@ -83,7 +83,7 @@ def __init__(self, app, db_session, config_cl=None, token=None, self.token = token def get_user_id(self): - user_digest = hashlib.md5(self.token.encode('utf-8')).hexdigest() + user_digest = hashlib.md5(self.token.encode('utf-8'), usedforsecurity=False).hexdigest() _, token_meta = self.auth_client.token_meta_get([user_digest]) return token_meta.get(user_digest, {}).get('user_id') diff --git a/slacker/slacker_server/handlers/v2/base.py b/slacker/slacker_server/handlers/v2/base.py index e18505c27..4eff2566d 100644 --- a/slacker/slacker_server/handlers/v2/base.py +++ b/slacker/slacker_server/handlers/v2/base.py @@ -204,7 +204,7 @@ def get_token_meta(self, digests): def get_meta_by_token(self, token): user_digest = list( - map(lambda x: hashlib.md5(x.encode("utf-8")).hexdigest(), [token]) + map(lambda x: hashlib.md5(x.encode("utf-8"), usedforsecurity=False).hexdigest(), [token]) )[0] token_meta = self.get_token_meta([user_digest]).get(user_digest, {}) return token_meta diff --git a/tools/cloud_adapter/clouds/gcp.py b/tools/cloud_adapter/clouds/gcp.py index f7ee1c58b..7d90a5fb4 100644 --- a/tools/cloud_adapter/clouds/gcp.py +++ b/tools/cloud_adapter/clouds/gcp.py @@ -229,7 +229,7 @@ def _get_common_fields(self): ) def _cloud_resource_hash(self): - return hashlib.sha1(self._cloud_object.self_link.encode()).hexdigest() + return hashlib.sha1(self._cloud_object.self_link.encode(), usedforsecurity=False).hexdigest() def _need_to_update_tags(self): optscale_tag_value = self.tags.get(OPTSCALE_TRACKING_TAG)