affirm our use of insecure hashing

mr-c · mr-c · commit 25d8446853a1 · 2019-04-20T12:31:58.000+02:00
diff --git a/cwltool/command_line_tool.py b/cwltool/command_line_tool.py
@@ -354,7 +354,8 @@ def job(self,
 
             keydictstr = json_dumps(keydict, separators=(',', ':'),
                                     sort_keys=True)
-            cachekey = hashlib.md5(keydictstr.encode('utf-8')).hexdigest()
+            cachekey = hashlib.md5(  # nosec
+                keydictstr.encode('utf-8')).hexdigest()
 
             _logger.debug("[job %s] keydictstr is %s -> %s", jobname,
                           keydictstr, cachekey)
@@ -717,7 +718,7 @@ def collect_output(self,
                                 files["contents"] = content_limit_respected_read_bytes(f).decode("utf-8")
                         if compute_checksum:
                             with fs_access.open(rfile["location"], "rb") as f:
-                                checksum = hashlib.sha1()
+                                checksum = hashlib.sha1()  # nosec
                                 contents = f.read(1024 * 1024)
                                 while contents != b"":
                                     checksum.update(contents)
diff --git a/cwltool/load_tool.py b/cwltool/load_tool.py
@@ -152,10 +152,9 @@ def _convert_stdstreams_to_files(workflowobj):
                                 filename = workflowobj[streamtype]
                             else:
                                 filename = Text(
-                                    hashlib.sha1(json_dumps(workflowobj,
-                                                            sort_keys=True
-                                                           ).encode('utf-8')
-                                                ).hexdigest())
+                                    hashlib.sha1(  # nosec
+                                        json_dumps(workflowobj, sort_keys=True
+                                                  ).encode('utf-8')).hexdigest())
                                 workflowobj[streamtype] = filename
                             out['type'] = 'File'
                             out['outputBinding'] = cmap({'glob': filename})
diff --git a/cwltool/process.py b/cwltool/process.py
@@ -1018,7 +1018,7 @@ def scandeps(base,                          # type: Text
 
 def compute_checksums(fs_access, fileobj):
     if "checksum" not in fileobj:
-        checksum = hashlib.sha1()
+        checksum = hashlib.sha1()  # nosec
         with fs_access.open(fileobj["location"], "rb") as f:
             contents = f.read(1024 * 1024)
             while contents != b"":
diff --git a/cwltool/provenance.py b/cwltool/provenance.py
@@ -164,7 +164,7 @@ def __init__(self, research_object, rel_path):
         if posixpath.isabs(rel_path):
             raise ValueError("rel_path must be relative: %s" % rel_path)
         self.rel_path = rel_path
-        self.hashes = {SHA1: hashlib.sha1(),
+        self.hashes = {SHA1: hashlib.sha1(),  # nosec
                        SHA256: hashlib.sha256(),
                        SHA512: hashlib.sha512()}
         # Open file in Research Object folder
diff --git a/cwltool/utils.py b/cwltool/utils.py
@@ -234,5 +234,5 @@ def random_outdir():  # type: () -> Text
     """ Return the random directory name chosen to use for tool / workflow output """
     # compute this once and store it as a function attribute - each subsequent call will return the same value
     if not hasattr(random_outdir, 'outdir'):
-        random_outdir.outdir = '/' + ''.join([random.choice(string.ascii_letters) for _ in range(6)])  # type: ignore
+        random_outdir.outdir = '/' + ''.join([random.choice(string.ascii_letters) for _ in range(6)])  # type: ignore  # nosec
     return random_outdir.outdir  # type: ignore
