apache · actionjax · Jul 27, 2022 · Mar 27, 2024
diff --git a/superset/key_value/utils.py b/superset/key_value/utils.py
@@ -61,7 +61,7 @@ def decode_permalink_id(key: str, salt: str) -> int:
 
 
 def get_uuid_namespace(seed: str) -> UUID:
-    md5_obj = md5()
+    md5_obj = md5(usedforsecurity=False)
     md5_obj.update(seed.encode("utf-8"))
     return UUID(md5_obj.hexdigest())
 

@@ -54,7 +54,7 @@ def table_has_column(table: str, column: str) -> bool:
 
 uuid_by_dialect = {
     MySQLDialect: "UNHEX(REPLACE(CONVERT(UUID() using utf8mb4), '-', ''))",
-    PGDialect: "uuid_in(md5(random()::text || clock_timestamp()::text)::cstring)",
+    PGDialect: "uuid_in(sha256(random()::text || clock_timestamp()::text)::cstring)",
 }
 
 

diff --git a/superset/utils/hashing.py b/superset/utils/hashing.py
@@ -21,7 +21,7 @@
 
 
 def md5_sha_from_str(val: str) -> str:
-    return hashlib.md5(val.encode("utf-8")).hexdigest()
+    return hashlib.md5(val.encode("utf-8"), usedforsecurity=False).hexdigest()
 
 
 def md5_sha_from_dict(

diff --git a/superset/utils/public_interfaces.py b/superset/utils/public_interfaces.py
@@ -40,13 +40,13 @@
 
 
 def compute_func_hash(function: Callable[..., Any]) -> str:
-    hashed = md5()
+    hashed = md5(usedforsecurity=False)
     hashed.update(str(signature(function)).encode())
     return b85encode(hashed.digest()).decode("utf-8")
 
 
 def compute_class_hash(class_: Callable[..., Any]) -> str:
-    hashed = md5()
+    hashed = md5(usedforsecurity=False)
     public_methods = sorted(
         [
             (name, method)