B324: hashlib
B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib
This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash
functions in hashlib
and crypt
. The hashlib.new
function provides
the ability to construct a new hashing object using the named algorithm. This
can be used to create insecure hash functions like MD4 and MD5 if they are
passed as algorithm names to this function.
For Python versions prior to 3.9, this check is similar to B303 blacklist
except that this checks for insecure hash functions created using
hashlib.new
function. For Python version 3.9 and later, this check
does additional checking for usage of keyword usedforsecurity on all
function variations of hashlib.
Similar to hashlib
, this plugin also checks for usage of one of the
crypt
module’s weak hashes. crypt
also permits MD5 among other weak
hash variants.
- Example:
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for
security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: examples/hashlib_new_insecure_functions.py:3:0
More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html
2
3 hashlib.new('md5')
4
Added in version 1.5.0.
Changed in version 1.7.3: CWE information added
Changed in version 1.7.6: Added check for the crypt module weak hashes