)]}'
{"cinderclient/base.py":[{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"0c7d552038bc523584f4e18ae22ee2fa2efaaefc","unresolved":false,"context_lines":[{"line_number":266,"context_line":"        username \u003d utils.env(\u0027OS_USERNAME\u0027, \u0027CINDER_USERNAME\u0027)"},{"line_number":267,"context_line":"        url \u003d utils.env(\u0027OS_URL\u0027, \u0027CINDER_URL\u0027)"},{"line_number":268,"context_line":"        uniqifier \u003d hashlib.sha256(username.encode(\u0027utf-8\u0027) +"},{"line_number":269,"context_line":"                                   url.encode(\u0027utf-8\u0027)).hexdigest()"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"        cache_dir \u003d os.path.expanduser(os.path.join(base_dir, uniqifier))"},{"line_number":272,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_01d62e50","line":269,"updated":"2019-08-20 15:22:35.000000000","message":"This one isn\u0027t insecure, because it\u0027s not used for anything where the hash method is relevant.\n\nIs there some other hash method we could replace it with that won\u0027t generate complaints when sha256 is considered insecure later?","commit_id":"803a625f115cc3d879864ca15017d731b6814ab0"},{"author":{"_account_id":29157,"name":"zhanghao","email":"hao.zhang.am.i@gmail.com","username":"zhanghao2"},"change_message_id":"40ab5b1a7e6c17d69078f08a8935a76e0b2f51f7","unresolved":false,"context_lines":[{"line_number":266,"context_line":"        username \u003d utils.env(\u0027OS_USERNAME\u0027, \u0027CINDER_USERNAME\u0027)"},{"line_number":267,"context_line":"        url \u003d utils.env(\u0027OS_URL\u0027, \u0027CINDER_URL\u0027)"},{"line_number":268,"context_line":"        uniqifier \u003d hashlib.sha256(username.encode(\u0027utf-8\u0027) +"},{"line_number":269,"context_line":"                                   url.encode(\u0027utf-8\u0027)).hexdigest()"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"        cache_dir \u003d os.path.expanduser(os.path.join(base_dir, uniqifier))"},{"line_number":272,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_28b78323","line":269,"in_reply_to":"7faddb67_01d62e50","updated":"2019-08-21 01:32:19.000000000","message":"Hello Eric Harney, thank you for your review,I think it\u0027s better to be able to modify it, because it is used to create the directory, in addition, it can also pass the bandit detection. I don\u0027t know if there is such a method as you said. Currently, both nova and neutron clients use sha256.","commit_id":"803a625f115cc3d879864ca15017d731b6814ab0"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"332bef51b9c481176fdd2f34e49eda539fcd2839","unresolved":false,"context_lines":[{"line_number":266,"context_line":"        username \u003d utils.env(\u0027OS_USERNAME\u0027, \u0027CINDER_USERNAME\u0027)"},{"line_number":267,"context_line":"        url \u003d utils.env(\u0027OS_URL\u0027, \u0027CINDER_URL\u0027)"},{"line_number":268,"context_line":"        uniqifier \u003d hashlib.sha256(username.encode(\u0027utf-8\u0027) +"},{"line_number":269,"context_line":"                                   url.encode(\u0027utf-8\u0027)).hexdigest()"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"        cache_dir \u003d os.path.expanduser(os.path.join(base_dir, uniqifier))"},{"line_number":272,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_11df84d7","line":269,"in_reply_to":"7faddb67_28b78323","updated":"2019-09-03 14:28:04.000000000","message":"\u003e I don\u0027t know if\n \u003e there is such a method as you said. Currently, both nova and\n \u003e neutron clients use sha256.\n\nHow about sha512? It has better performance than sha256 [0].\n\n[0] https://opendev.org/openstack/glance-specs/src/branch/master/specs/rocky/implemented/glance/multihash.rst#performance-impact","commit_id":"803a625f115cc3d879864ca15017d731b6814ab0"}],"cinderclient/client.py":[{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"8d344f8583cab5a3719f6ee78e060d5262af1135","unresolved":false,"context_lines":[{"line_number":320,"context_line":"    def _safe_header(self, name, value):"},{"line_number":321,"context_line":"        if name in HTTPClient.SENSITIVE_HEADERS:"},{"line_number":322,"context_line":"            encoded \u003d value.encode(\u0027utf-8\u0027)"},{"line_number":323,"context_line":"            hashed \u003d hashlib.sha256(encoded)"},{"line_number":324,"context_line":"            digested \u003d hashed.hexdigest()"},{"line_number":325,"context_line":"            return encodeutils.safe_decode(name), \"{SHA256}%s\" % digested"},{"line_number":326,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_7e46ae52","line":323,"updated":"2019-09-04 14:16:04.000000000","message":"I think this usage of sha1 is also not a security problem, and changing this to sha256 is actually perhaps worse for what this is doing.\n\nAs far as I can tell (with no comments documenting this method), this is used to generate output when debugging things at the CLI that masks headers that shouldn\u0027t be printed (auth tokens), but in a way that lets you see that the same header shows up more than once.  Changing from sha1 to 256 means it\u0027s longer and harder to read/compare in the logs.\n\nThis looks like:\n    DEBUG:keystoneauth:REQ: curl -g -i -X GET http://10.16.151.37/volume/ -H \"Accept: application/json\" -H \"OpenStack-API-Version: volume 3.58\" -H \"User-Agent: python-cinderclient\" -H \"X-Auth-Token: {SHA256}135bb5d2ea78c3466d6222654185c5de2dac832e4d46c79e5ebbcfd081d3eb67\"\n\n(Which is kind of funny because the whole point of logging it as a \"curl\" command is that you could copy/paste it and run it, which clearly won\u0027t work if the token is masked this way...)\n\nBut -- where does SHA1 show up currently, anyway?  I\u0027m not running this patch and I already see SHA256 instead of SHA1 for headers (above).\n\nI think we need to thoroughly understand what this code does and document it before just changing it to make bandit happy.","commit_id":"803a625f115cc3d879864ca15017d731b6814ab0"},{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"98aa5f9aa167f7601ba559ad678178fea06addb5","unresolved":false,"context_lines":[{"line_number":320,"context_line":"    def _safe_header(self, name, value):"},{"line_number":321,"context_line":"        if name in HTTPClient.SENSITIVE_HEADERS:"},{"line_number":322,"context_line":"            encoded \u003d value.encode(\u0027utf-8\u0027)"},{"line_number":323,"context_line":"            hashed \u003d hashlib.sha256(encoded)"},{"line_number":324,"context_line":"            digested \u003d hashed.hexdigest()"},{"line_number":325,"context_line":"            return encodeutils.safe_decode(name), \"{SHA256}%s\" % digested"},{"line_number":326,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":1,"id":"7faddb67_1e7d3a6c","line":323,"in_reply_to":"7faddb67_7e46ae52","updated":"2019-09-04 14:19:08.000000000","message":"The answer for why I see the SHA256 masking is presumably because my \"normal\" CLI usage is using the session client and not HTTPClient.","commit_id":"803a625f115cc3d879864ca15017d731b6814ab0"}]}