dateparser doesn't work in FIPS compliant environments

[trevor-scale]

Many secure environments disable the hashlib.md5 function because it is insecure, the causes the line below to fail making dateparser unusable in these environments:

dateparser/dateparser/conf.py

Line 52 in 02bd2e5

return hashlib.md5("".join(keys).encode("utf-8")).hexdigest()

This can easily be remedied by replacing that line with return hashlib.md5("".join(keys).encode("utf-8"), usedforsecurity=False).hexdigest() which appropriately bypasses the fips security check because dateparser is not using the md5 hash for security applications.

This is a great project, would appreciate it if this fix could be pushed so it becomes useable in FIPS-compliant environments!

[trevor-scale]

Thanks for the ack. I'd be happy to PR this myself if you give me permissions to contribute!

[Gallaecio]

No need for permissions, feel free to create a PR from a fork.

[ghmj2417]

If trevor-scale is unable to create the PR, I would be more than happy to do it. However, wouldn't this change be a breaking change since the setup.py requires python3.8 or later. This change would force users to 3.9.

[trevor-scale]

That's a good point. It's a bit ugly, but we can do a check on sys.version.info and only set the usedforsecurity=False flag if the version is >=3.9

[ghmj2417]

This should support >= 3.8
return hashlib.new("md5", "".join(keys).encode("utf-8"), usedforsecurity=True).hexdigest()

[trevor-scale]

PR submitted here: #1267

[ghmj2417]

@trevor-scale The code I pasted above was a test to make sure the command still failed within a FIPS enabled environment. For it to work properly in this setup, it would need to set usedforsecurity=False

[Gallaecio]

Removing support for 3.8 is fine, it is end-of-life.

[ghmj2417]

@trevor-scale Looks like @Gallaecio doesn't mind the breaking change since 3.8 is end of support. I will leave it to you guys on how the PR should be adjusted.

Also, I am not a maintainer of this repo so I cannot approve or merge the PR.