sdk/python/Cryptography/PyHashlib

PyHashlib

The hashlib module provides cryptographic hash functions. md5 and sha1 are cryptographically broken — findings for password hashing / signature use. For password hashing use hashlib.scrypt, pbkdf2_hmac, or the passlib / argon2-cffi packages.

2 sinks2 sanitizers

Taint flow0 sources → 2 sanitizers → 2 sinks

Sanitizers — blocks taint

.pbkdf2_hmac().scrypt()

Sinks — dangerous call

.md5()MD5 hash

.sha1()SHA-1 hash

Sinks

— dangerous functions taint must not reach

.md5()Sink

Signature

hashlib.md5(data: bytes = b'', *, usedforsecurity=True) -> Hash

MD5 hash. Broken for cryptographic use — finding for password hashing or digital signatures.

.sha1()Sink

Signature

hashlib.sha1(data: bytes = b'', *, usedforsecurity=True) -> Hash

SHA-1 hash. Broken for cryptographic use — finding for signature contexts.

Sanitizers

— functions that neutralize taint

.pbkdf2_hmac()Sanitizer

Signature

hashlib.pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> bytes

Password-based key derivation. Safe with iterations ≥ 100_000.

tracks:return

.scrypt()Sanitizer

Signature

hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) -> bytes

Memory-hard password hash. Safe.

tracks:return

Other Methods

.sha256()Neutral

Signature

hashlib.sha256(data: bytes = b'') -> Hash

SHA-256 hash. Acceptable for digests; use scrypt / pbkdf2 for passwords.

Fully-Qualified Names

FQN	Field
hashlib	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyHashlib

← PreviousPyGetpass

Next →PyHmac