Skip to content

dateparser doesn't work in FIPS compliant environments #1258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
trevor-scale opened this issue Mar 14, 2025 · 9 comments
Open

dateparser doesn't work in FIPS compliant environments #1258

trevor-scale opened this issue Mar 14, 2025 · 9 comments

Comments

@trevor-scale
Copy link

Many secure environments disable the hashlib.md5 function because it is insecure, the causes the line below to fail making dateparser unusable in these environments:

return hashlib.md5("".join(keys).encode("utf-8")).hexdigest()

This can easily be remedied by replacing that line with return hashlib.md5("".join(keys).encode("utf-8"), usedforsecurity=False).hexdigest() which appropriately bypasses the fips security check because dateparser is not using the md5 hash for security applications.

This is a great project, would appreciate it if this fix could be pushed so it becomes useable in FIPS-compliant environments!

@trevor-scale
Copy link
Author

Thanks for the ack. I'd be happy to PR this myself if you give me permissions to contribute!

@Gallaecio
Copy link
Member

No need for permissions, feel free to create a PR from a fork.

@ghmj2417
Copy link

If trevor-scale is unable to create the PR, I would be more than happy to do it. However, wouldn't this change be a breaking change since the setup.py requires python3.8 or later. This change would force users to 3.9.

@trevor-scale
Copy link
Author

trevor-scale commented Apr 15, 2025

That's a good point. It's a bit ugly, but we can do a check on sys.version.info and only set the usedforsecurity=False flag if the version is >=3.9

@ghmj2417
Copy link

This should support >= 3.8
return hashlib.new("md5", "".join(keys).encode("utf-8"), usedforsecurity=True).hexdigest()

@trevor-scale
Copy link
Author

PR submitted here: #1267

@ghmj2417
Copy link

@trevor-scale The code I pasted above was a test to make sure the command still failed within a FIPS enabled environment. For it to work properly in this setup, it would need to set usedforsecurity=False

@Gallaecio
Copy link
Member

Removing support for 3.8 is fine, it is end-of-life.

@ghmj2417
Copy link

ghmj2417 commented May 9, 2025

@trevor-scale Looks like @Gallaecio doesn't mind the breaking change since 3.8 is end of support. I will leave it to you guys on how the PR should be adjusted.

Also, I am not a maintainer of this repo so I cannot approve or merge the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants