Add usedforsecurity for sha1 algorithm (apache#44081)

SHA1 is cryptographically weak and some restricted environments (FIPS compliant) are blocking weak algorithms. You can use them (as of Python 3.9) in those environments by specifically stating that the algorithm is not used for security.
aws-mwaa · Nov 16, 2024 · a85d94e · a85d94e
1 parent 80a2f10
commit a85d94e
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/airflow/models/dagcode.py b/airflow/models/dagcode.py
@@ -163,4 +163,9 @@ def dag_fileloc_hash(full_filepath: str) -> int:
         import hashlib
 
         # Only 7 bytes because MySQL BigInteger can hold only 8 bytes (signed).
-        return struct.unpack(">Q", hashlib.sha1(full_filepath.encode("utf-8")).digest()[-8:])[0] >> 8
+        return (
+            struct.unpack(
+                ">Q", hashlib.sha1(full_filepath.encode("utf-8"), usedforsecurity=False).digest()[-8:]
+            )[0]
+            >> 8
+        )
diff --git a/airflow/models/taskinstance.py b/airflow/models/taskinstance.py
@@ -2456,7 +2456,8 @@ def next_retry_datetime(self):
             # deterministic per task instance
             ti_hash = int(
                 hashlib.sha1(
-                    f"{self.dag_id}#{self.task_id}#{self.logical_date}#{self.try_number}".encode()
+                    f"{self.dag_id}#{self.task_id}#{self.logical_date}#{self.try_number}".encode(),
+                    usedforsecurity=False,
                 ).hexdigest(),
                 16,
             )

diff --git a/airflow/sensors/base.py b/airflow/sensors/base.py
@@ -365,7 +365,8 @@ def _get_next_poke_interval(
                 # Calculate the jitter
                 run_hash = int(
                     hashlib.sha1(
-                        f"{self.dag_id}#{self.task_id}#{started_at}#{estimated_poke_count}".encode()
+                        f"{self.dag_id}#{self.task_id}#{started_at}#{estimated_poke_count}".encode(),
+                        usedforsecurity=False,
                     ).hexdigest(),
                     16,
                 )
@@ -384,7 +385,9 @@ def _get_next_poke_interval(
         min_backoff = max(int(self.poke_interval * (2 ** (poke_count - 2))), 1)
 
         run_hash = int(
-            hashlib.sha1(f"{self.dag_id}#{self.task_id}#{started_at}#{poke_count}".encode()).hexdigest(),
+            hashlib.sha1(
+                f"{self.dag_id}#{self.task_id}#{started_at}#{poke_count}".encode(), usedforsecurity=False
+            ).hexdigest(),
             16,
         )
         modded_hash = min_backoff + run_hash % min_backoff

diff --git a/airflow/utils/file.py b/airflow/utils/file.py
@@ -356,7 +356,7 @@ def iter_airflow_imports(file_path: str) -> Generator[str, None, None]:
 def get_unique_dag_module_name(file_path: str) -> str:
     """Return a unique module name in the format unusual_prefix_{sha1 of module's file path}_{original module name}."""
     if isinstance(file_path, str):
-        path_hash = hashlib.sha1(file_path.encode("utf-8")).hexdigest()
+        path_hash = hashlib.sha1(file_path.encode("utf-8"), usedforsecurity=False).hexdigest()
         org_mod_name = re2.sub(r"[.-]", "_", Path(file_path).stem)
         return MODIFIED_DAG_MODULE_NAME.format(path_hash=path_hash, module_name=org_mod_name)
     raise ValueError("file_path should be a string to generate unique module name")