phoenix-oss/llama-stack
1
0
Fork 0
forked from phoenix-oss/llama-stack-mirror
Code Pull requests Releases Packages 2 Activity Actions

Sec fixes as raised by bandit (#917)

Browse source 
minor fixes to hashlib and jinja
This commit is contained in:
Hardik Shah 2025-01-31 13:44:26 -08:00 committed by GitHub
parent 7ea14ae62e
commit a7b929f17e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 53 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

5
llama_stack/cli/verify_download.py
View file

@ -50,7 +50,10 @@ def setup_verify_download_parser(parser: argparse.ArgumentParser) -> None:
def calculate_md5(filepath: Path, chunk_size: int = 8192) -> str:
md5_hash = hashlib.md5()
# NOTE: MD5 is used here only for download integrity verification,
# not for security purposes
# TODO: switch to SHA256
md5_hash = hashlib.md5(usedforsecurity=False)
with open(filepath, "rb") as f:
for chunk in iter(lambda: f.read(chunk_size), b""):
md5_hash.update(chunk)