Skip to content

Infra improvements#46

Merged
Nayjest merged 2 commits intomainfrom
infra_improvements
Feb 13, 2026
Merged

Infra improvements#46
Nayjest merged 2 commits intomainfrom
infra_improvements

Conversation

@Nayjest
Copy link
Owner

@Nayjest Nayjest commented Feb 13, 2026

No description provided.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

I've Reviewed the Code

This PR applies code formatting changes across the codebase using Black (with a 100-character line length setting added to pyproject.toml), including adding blank lines after docstrings, reformatting function signatures and dictionary literals to fit on single lines where possible, and standardizing string quotes to double quotes.

✅ No issues found in 29 files

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2026
View reviewed changes
lm_proxy/core.py Dismissed
return hashlib.md5(
(api_key + env.config.encryption_key).encode("utf-8")
).hexdigest()
return hashlib.md5((api_key + env.config.encryption_key).encode("utf-8")).hexdigest()

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High

Sensitive data (password)
Loading
is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
Loading
is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
Loading
is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function.

Copilot Autofix

AI 16 days ago

General approach: replace the use of MD5 with a modern cryptographic hash function from the SHA-2 family (e.g., SHA-256) for deriving this API key identifier. Since this identifier is not a password verifier but a pseudonymous ID, we do not need a slow KDF like bcrypt/Argon2; a simple SHA-256 hash is sufficient and standard.

Best concrete fix without changing functionality: keep the logic and types of api_key_id exactly the same (returns a deterministic hex string based on api_key and env.config.encryption_key), but change hashlib.md5 to hashlib.sha256. This preserves:

  • Same function signature and return type (str | None).
  • Same salting/combining scheme with env.config.encryption_key.
  • Same encoding (utf-8) and hex-digest format.

Only the length and value of the identifier change, which should be acceptable for any logging/metrics usage and does not affect authorization or API behavior.

Specific changes:

  • File: lm_proxy/core.py
  • In api_key_id (around line 151), replace:
    • hashlib.md5(...).hexdigest()
      with:
    • hashlib.sha256(...).hexdigest()
  • No new imports are needed because hashlib is already imported at the top of the file.
Suggested changeset 1
lm_proxy/core.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/lm_proxy/core.py b/lm_proxy/core.py
--- a/lm_proxy/core.py
+++ b/lm_proxy/core.py
@@ -148,7 +148,7 @@
     """
     if not api_key:
         return None
-    return hashlib.md5((api_key + env.config.encryption_key).encode("utf-8")).hexdigest()
+    return hashlib.sha256((api_key + env.config.encryption_key).encode("utf-8")).hexdigest()
 
 
 def fail_if_service_disabled():
EOF
@@ -148,7 +148,7 @@
"""
if not api_key:
return None
return hashlib.md5((api_key + env.config.encryption_key).encode("utf-8")).hexdigest()
return hashlib.sha256((api_key + env.config.encryption_key).encode("utf-8")).hexdigest()


def fail_if_service_disabled():
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link
Owner Author

@Nayjest Nayjest Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gito is sha256 slower than md5?

@Nayjest
Copy link
Owner Author

Nayjest commented Feb 13, 2026

@gito is sha256 slower than md5?

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Yes, SHA-256 is slower than MD5 — roughly 2-3x slower in typical benchmarks.

But here's the thing: looking at your codebase, you're using MD5 in api_key_id() for hashing API keys (line 151 in core.py). For this use case — generating a consistent identifier, not securing passwords — MD5 is perfectly fine. The speed difference is negligible for single hashes, and you're not defending against collision attacks here.

TL;DR: MD5 is faster, SHA-256 is more secure. Your current MD5 usage for key identification? Totally reasonable. Don't fix what ain't broken. 🎯

@Nayjest Nayjest merged commit e9789b6 into main Feb 13, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Nayjest