Add usedforsecurity=False flag to md5 hashes (#7049)

Co-authored-by: Ezra Odio <eodio@starfishstorage.com> Co-authored-by: Justin Clift <justin@postgresql.org>
2025-12-19 17:37:19 -05:00 · 2024-07-11 13:34:53 -04:00
parent 28c39219af
commit d9282b2688
3 changed files with 11 additions and 5 deletions
--- a/redash/models/users.py
+++ b/redash/models/users.py
@@ -166,7 +166,7 @@ class User(TimestampMixin, db.Model, BelongsToOrgMixin, UserMixin, PermissionsCh
        if self._profile_image_url:
            return self._profile_image_url

-        email_md5 = hashlib.md5(self.email.lower().encode()).hexdigest()
+        email_md5 = hashlib.md5(self.email.lower().encode(), usedforsecurity=False).hexdigest()
        return "https://www.gravatar.com/avatar/{}?s=40&d=identicon".format(email_md5)

    @property
@@ -233,7 +233,9 @@ class User(TimestampMixin, db.Model, BelongsToOrgMixin, UserMixin, PermissionsCh
        return AccessPermission.exists(obj, access_type, grantee=self)

    def get_id(self):
-        identity = hashlib.md5("{},{}".format(self.email, self.password_hash).encode()).hexdigest()
+        identity = hashlib.md5(
+            "{},{}".format(self.email, self.password_hash).encode(), usedforsecurity=False
+        ).hexdigest()
        return "{0}-{1}".format(self.id, identity)

    def get_actual_user(self):
--- a/redash/query_runner/query_results.py
+++ b/redash/query_runner/query_results.py
@@ -90,7 +90,9 @@ def create_tables_from_query_ids(user, connection, query_ids, query_params, cach

    for query in set(query_params):
        results = get_query_results(user, query[0], False, query[1])
-        table_hash = hashlib.md5("query_{query}_{hash}".format(query=query[0], hash=query[1]).encode()).hexdigest()
+        table_hash = hashlib.md5(
+            "query_{query}_{hash}".format(query=query[0], hash=query[1]).encode(), usedforsecurity=False
+        ).hexdigest()
        table_name = "query_{query_id}_{param_hash}".format(query_id=query[0], param_hash=table_hash)
        create_table(connection, table_name, results)

@@ -142,7 +144,9 @@ def create_table(connection, table_name, query_results):

 def prepare_parameterized_query(query, query_params):
    for params in query_params:
-        table_hash = hashlib.md5("query_{query}_{hash}".format(query=params[0], hash=params[1]).encode()).hexdigest()
+        table_hash = hashlib.md5(
+            "query_{query}_{hash}".format(query=params[0], hash=params[1]).encode(), usedforsecurity=False
+        ).hexdigest()
        key = "param_query_{query_id}_{{{param_string}}}".format(query_id=params[0], param_string=params[1])
        value = "query_{query_id}_{param_hash}".format(query_id=params[0], param_hash=table_hash)
        query = query.replace(key, value)
--- a/redash/utils/init.py
+++ b/redash/utils/init.py
@@ -60,7 +60,7 @@ def gen_query_hash(sql):
    """
    sql = COMMENTS_REGEX.sub("", sql)
    sql = "".join(sql.split())
-    return hashlib.md5(sql.encode("utf-8")).hexdigest()
+    return hashlib.md5(sql.encode("utf-8"), usedforsecurity=False).hexdigest()


 def generate_token(length):