B324: hashlib

B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib

This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash functions in hashlib and crypt. The hashlib.new function provides the ability to construct a new hashing object using the named algorithm. This can be used to create insecure hash functions like MD4 and MD5 if they are passed as algorithm names to this function.

For Python versions prior to 3.9, this check is similar to B303 blacklist except that this checks for insecure hash functions created using hashlib.new function. For Python version 3.9 and later, this check does additional checking for usage of keyword usedforsecurity on all function variations of hashlib.

Similar to hashlib, this plugin also checks for usage of one of the crypt module’s weak hashes. crypt also permits MD5 among other weak hash variants.

Example:

>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for
   security. Consider usedforsecurity=False
   Severity: High   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: examples/hashlib_new_insecure_functions.py:3:0
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html
2
3   hashlib.new('md5')
4

See also

• https://cwe.mitre.org/data/definitions/327.html

New in version 1.5.0.

Changed in version 1.7.3: CWE information added

Changed in version 1.7.6: Added check for the crypt module weak hashes