Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S324 false negatives for synonyms of insecure algorithm names #16572

Open
dscorbett opened this issue Mar 8, 2025 · 0 comments
Open

S324 false negatives for synonyms of insecure algorithm names #16572

dscorbett opened this issue Mar 8, 2025 · 0 comments

Comments

@dscorbett
Copy link

Summary

hashlib-insecure-hash-function (S324) misses some insecure algorithm names that are equivalent to names that it currently flags. "ssl3-md5" and "1.2.840.113549.2.5" are synonyms of "md5". "sha-1", "ssl3-sha1", and "1.3.14.3.2.26" are synonyms of "sha1". Trailing spaces are ignored after any name. The details depend on the version of OpenSSL that Python is using, but those are the false negatives I’ve found on my machine.

import hashlib
print(hashlib.new("md5  ").hexdigest())
print(hashlib.new("sha-1").hexdigest())
print(hashlib.new("ssl3-md5").hexdigest())
print(hashlib.new("ssl3-sha1").hexdigest())
print(hashlib.new("1.3.14.3.2.26").hexdigest())
print(hashlib.new("1.2.840.113549.2.5").hexdigest())

Version

ruff 0.9.10 (0dfa810 2025-03-07)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dscorbett