fixed issues raised by bandit

2025-08-07 02:58:21 +00:00 · 2025-01-31 13:03:27 -08:00 · 2025-01-31 13:03:27 -08:00 · acf98b49b0
commit acf98b49b0
parent 6a13461afa
3 changed files with 13 additions and 3 deletions
--- a/docs/openapi_generator/pyopenapi/generator.py
+++ b/docs/openapi_generator/pyopenapi/generator.py
@ -250,7 +250,9 @@ class ContentBuilder:
            value = sample_transformer(object_to_json(example))
            hash_string = (
-                hashlib.md5(json_dump_string(value).encode("utf-8")).digest().hex()
+                hashlib.sha256(json_dump_string(value).encode("utf-8"))
                .digest()
                .hex()[:16]
            )
            name = f"ex-{hash_string}"
--- a/llama_stack/cli/verify_download.py
+++ b/llama_stack/cli/verify_download.py
@ -50,7 +50,10 @@ def setup_verify_download_parser(parser: argparse.ArgumentParser) -> None:
 def calculate_md5(filepath: Path, chunk_size: int = 8192) -> str:
-    md5_hash = hashlib.md5()
+    # NOTE: MD5 is used here only for download integrity verification,
    # not for security purposes
    # TODO: switch to SHA256
    md5_hash = hashlib.md5(usedforsecurity=False)
    with open(filepath, "rb") as f:
        for chunk in iter(lambda: f.read(chunk_size), b""):
            md5_hash.update(chunk)
--- a/llama_stack/templates/template.py
+++ b/llama_stack/templates/template.py
@ -137,7 +137,12 @@ class DistributionTemplate(BaseModel):
        template = self.template_path.read_text()
        # Render template with rich-generated table
-        env = jinja2.Environment(trim_blocks=True, lstrip_blocks=True)
+        env = jinja2.Environment(
            trim_blocks=True,
            lstrip_blocks=True,
            # NOTE: autoescape is required to prevent XSS attacks
            autoescape=True,
        )
        template = env.from_string(template)
        return template.render(
            name=self.name,