Migrate MD5 hashing to SHA256

Continue using MD5 hashing in Axes test settings as it offers better performance for test runs without compromising security for users
2026-03-16 22:30:23 +00:00 · 2022-05-15 15:07:18 +03:00 · 2022-05-15 15:07:18 +03:00 · 4490013111
commit 4490013111
parent 68a4827870
3 changed files with 9 additions and 6 deletions
--- a/axes/helpers.py
+++ b/axes/helpers.py
@ -1,5 +1,5 @@
 from datetime import timedelta
-from hashlib import md5
+from hashlib import sha256
 from logging import getLogger
 from string import Template
 from typing import Callable, Optional, Type, Union
@ -214,7 +214,7 @@ def make_cache_key_list(filter_kwargs_list):
        cache_key_components = "".join(
            value for value in filter_kwargs.values() if value
        )
-        cache_key_digest = md5(cache_key_components.encode()).hexdigest()
+        cache_key_digest = sha256(cache_key_components.encode()).hexdigest()
        cache_keys.append(f"axes-{cache_key_digest}")
    return cache_keys

--- a/tests/settings.py
+++ b/tests/settings.py
@ -24,6 +24,9 @@ AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
 ]

+# Use MD5 for tests as it is considerably faster than other options
+# note that this should never be used in any online setting
+# where users actually log in to the system due to easy exploitability
 PASSWORD_HASHERS = ["django.contrib.auth.hashers.MD5PasswordHasher"]

 ROOT_URLCONF = "tests.urls"
--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@ -1,5 +1,5 @@
 from datetime import timedelta
-from hashlib import md5
+from hashlib import sha256
 from unittest.mock import patch

 from django.contrib.auth import get_user_model
@ -353,7 +353,7 @@ class ClientCacheKeyTestCase(AxesTestCase):
        Test the cache key format.
        """

-        cache_hash_digest = md5(self.ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(self.ip_address.encode()).hexdigest()
        cache_hash_key = f"axes-{cache_hash_digest}"

        # Getting cache key from request
@ -385,7 +385,7 @@ class ClientCacheKeyTestCase(AxesTestCase):

        empty_ip_address = ""

-        cache_hash_digest = md5(empty_ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(empty_ip_address.encode()).hexdigest()
        cache_hash_key = f"axes-{cache_hash_digest}"

        # Getting cache key from request
@ -418,7 +418,7 @@ class ClientCacheKeyTestCase(AxesTestCase):
        """

        ip_address = self.ip_address
-        cache_hash_digest = md5(ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(ip_address.encode()).hexdigest()
        cache_hash_key = f"axes-{cache_hash_digest}"

        # Getting cache key from request