From 897ce4035fe9e652f0f57d3d2d8719bc7123d5ec Mon Sep 17 00:00:00 2001 From: anti Date: Mon, 20 Apr 2026 23:06:31 -0400 Subject: [PATCH] fix(sniffer): mark JA3/JA3S MD5 hashing as non-security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit JA3/JA3S fingerprints are defined by their specs as MD5 digests of the ClientHello/ServerHello feature tuples — they are identifiers, not security primitives. Pass usedforsecurity=False at the two call sites so bandit stops flagging them as B324 High when scanning outside the templates/ exclude. --- decnet/templates/sniffer/server.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/decnet/templates/sniffer/server.py b/decnet/templates/sniffer/server.py index 9bd7714b..67173b49 100644 --- a/decnet/templates/sniffer/server.py +++ b/decnet/templates/sniffer/server.py @@ -639,7 +639,8 @@ def _ja3(ch: dict[str, Any]) -> tuple[str, str]: "-".join(str(p) for p in ch["ec_point_formats"]), ] ja3_str = ",".join(parts) - return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest() + # JA3 fingerprint spec uses MD5; not security-relevant. + return ja3_str, hashlib.md5(ja3_str.encode(), usedforsecurity=False).hexdigest() def _ja3s(sh: dict[str, Any]) -> tuple[str, str]: @@ -650,7 +651,8 @@ def _ja3s(sh: dict[str, Any]) -> tuple[str, str]: "-".join(str(e) for e in sh["extensions"]), ] ja3s_str = ",".join(parts) - return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest() + # JA3S fingerprint spec uses MD5; not security-relevant. + return ja3s_str, hashlib.md5(ja3s_str.encode(), usedforsecurity=False).hexdigest() # ─── JA4 / JA4S computation ──────────────────────────────────────────────────