diff --git a/docs/openapi_generator/pyopenapi/generator.py b/docs/openapi_generator/pyopenapi/generator.py index 05c609867..d3de0427f 100644 --- a/docs/openapi_generator/pyopenapi/generator.py +++ b/docs/openapi_generator/pyopenapi/generator.py @@ -250,7 +250,9 @@ class ContentBuilder: value = sample_transformer(object_to_json(example)) hash_string = ( - hashlib.md5(json_dump_string(value).encode("utf-8")).digest().hex() + hashlib.sha256(json_dump_string(value).encode("utf-8")) + .digest() + .hex()[:16] ) name = f"ex-{hash_string}" diff --git a/llama_stack/cli/verify_download.py b/llama_stack/cli/verify_download.py index f86bed6af..68158243b 100644 --- a/llama_stack/cli/verify_download.py +++ b/llama_stack/cli/verify_download.py @@ -50,7 +50,10 @@ def setup_verify_download_parser(parser: argparse.ArgumentParser) -> None: def calculate_md5(filepath: Path, chunk_size: int = 8192) -> str: - md5_hash = hashlib.md5() + # NOTE: MD5 is used here only for download integrity verification, + # not for security purposes + # TODO: switch to SHA256 + md5_hash = hashlib.md5(usedforsecurity=False) with open(filepath, "rb") as f: for chunk in iter(lambda: f.read(chunk_size), b""): md5_hash.update(chunk) diff --git a/llama_stack/templates/template.py b/llama_stack/templates/template.py index 78f57b795..d87830bca 100644 --- a/llama_stack/templates/template.py +++ b/llama_stack/templates/template.py @@ -137,7 +137,12 @@ class DistributionTemplate(BaseModel): template = self.template_path.read_text() # Render template with rich-generated table - env = jinja2.Environment(trim_blocks=True, lstrip_blocks=True) + env = jinja2.Environment( + trim_blocks=True, + lstrip_blocks=True, + # NOTE: autoescape is required to prevent XSS attacks + autoescape=True, + ) template = env.from_string(template) return template.render( name=self.name,