anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(sniffer): mark JA3/JA3S MD5 hashing as non-security

Browse Source 
JA3/JA3S fingerprints are defined by their specs as MD5 digests of
the ClientHello/ServerHello feature tuples — they are identifiers,
not security primitives. Pass usedforsecurity=False at the two call
sites so bandit stops flagging them as B324 High when scanning
outside the templates/ exclude.
This commit is contained in:
anti
2026-04-20 23:06:31 -04:00
parent d06b04221f
commit 897ce4035f
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
decnet/templates/sniffer/server.py
View File

@@ -639,7 +639,8 @@ def _ja3(ch: dict[str, Any]) -> tuple[str, str]:
"-".join(str(p) for p in ch["ec_point_formats"]),
]
ja3_str = ",".join(parts)
return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()
# JA3 fingerprint spec uses MD5; not security-relevant.
return ja3_str, hashlib.md5(ja3_str.encode(), usedforsecurity=False).hexdigest()
def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
@@ -650,7 +651,8 @@ def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
"-".join(str(e) for e in sh["extensions"]),
]
ja3s_str = ",".join(parts)
return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()
# JA3S fingerprint spec uses MD5; not security-relevant.
return ja3s_str, hashlib.md5(ja3s_str.encode(), usedforsecurity=False).hexdigest()
# ─── JA4 / JA4S computation ──────────────────────────────────────────────────