dateparser doesn't work in FIPS compliant environments · scrapinghub/dateparser#1258

(9 comments) (3 reactions) (0 assignees)Python (2,318 stars) (443 forks)batch import

Status: Bug confirmedType: Buggood first issue

Description

Many secure environments disable the hashlib.md5 function because it is insecure, the causes the line below to fail making dateparser unusable in these environments:

https://github.com/scrapinghub/dateparser/blob/02bd2e5dd4477b4f6db98c5e98149458eb3cc821/dateparser/conf.py#L52

This can easily be remedied by replacing that line with return hashlib.md5("".join(keys).encode("utf-8"), usedforsecurity=False).hexdigest() which appropriately bypasses the fips security check because dateparser is not using the md5 hash for security applications.

This is a great project, would appreciate it if this fix could be pushed so it becomes useable in FIPS-compliant environments!

Contributor guide

Tech stack: python
Domain: security
Issue type: bug
Difficulty: 1
Estimated time: under 1 hour
Activity status: fresh
Clarity: clear
Prerequisites: Pythonunderstanding of FIPS compliance
Newbie friendliness: 90
Research direction: The issue is in dateparser/conf.py line 52. The current code uses hashlib.md5(...) without the usedforsecurity parameter. To fix, change the call to hashlib.md5("".join(keys).encode("utf 8"), usedforsecurity=False).hexdigest(). No new dependencies or tests are required, but ensure existing tests pass. The maintainers may discuss if this change is acceptable for all environments.