From 44900131113aff331a8a79609f093dc5e19a9ca7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleksi=20H=C3=A4kli?= <aleksi.hakli@iki.fi>
Date: Sun, 15 May 2022 15:07:18 +0300
Subject: [PATCH] Migrate MD5 hashing to SHA256

Continue using MD5 hashing in Axes test settings
as it offers better performance for test runs
without compromising security for users
---
 axes/helpers.py       | 4 ++--
 tests/settings.py     | 3 +++
 tests/test_helpers.py | 8 ++++----
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/axes/helpers.py b/axes/helpers.py
index e85c8d7..577112f 100644
--- a/axes/helpers.py
+++ b/axes/helpers.py
@@ -1,5 +1,5 @@
 from datetime import timedelta
-from hashlib import md5
+from hashlib import sha256
 from logging import getLogger
 from string import Template
 from typing import Callable, Optional, Type, Union
@@ -214,7 +214,7 @@ def make_cache_key_list(filter_kwargs_list):
         cache_key_components = "".join(
             value for value in filter_kwargs.values() if value
         )
-        cache_key_digest = md5(cache_key_components.encode()).hexdigest()
+        cache_key_digest = sha256(cache_key_components.encode()).hexdigest()
         cache_keys.append(f"axes-{cache_key_digest}")
     return cache_keys
 
diff --git a/tests/settings.py b/tests/settings.py
index 43de0b4..949aad8 100644
--- a/tests/settings.py
+++ b/tests/settings.py
@@ -24,6 +24,9 @@ AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
 ]
 
+# Use MD5 for tests as it is considerably faster than other options
+# note that this should never be used in any online setting
+# where users actually log in to the system due to easy exploitability
 PASSWORD_HASHERS = ["django.contrib.auth.hashers.MD5PasswordHasher"]
 
 ROOT_URLCONF = "tests.urls"
diff --git a/tests/test_helpers.py b/tests/test_helpers.py
index f17bee0..30a216d 100644
--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@@ -1,5 +1,5 @@
 from datetime import timedelta
-from hashlib import md5
+from hashlib import sha256
 from unittest.mock import patch
 
 from django.contrib.auth import get_user_model
@@ -353,7 +353,7 @@ class ClientCacheKeyTestCase(AxesTestCase):
         Test the cache key format.
         """
 
-        cache_hash_digest = md5(self.ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(self.ip_address.encode()).hexdigest()
         cache_hash_key = f"axes-{cache_hash_digest}"
 
         # Getting cache key from request
@@ -385,7 +385,7 @@ class ClientCacheKeyTestCase(AxesTestCase):
 
         empty_ip_address = ""
 
-        cache_hash_digest = md5(empty_ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(empty_ip_address.encode()).hexdigest()
         cache_hash_key = f"axes-{cache_hash_digest}"
 
         # Getting cache key from request
@@ -418,7 +418,7 @@ class ClientCacheKeyTestCase(AxesTestCase):
         """
 
         ip_address = self.ip_address
-        cache_hash_digest = md5(ip_address.encode()).hexdigest()
+        cache_hash_digest = sha256(ip_address.encode()).hexdigest()
         cache_hash_key = f"axes-{cache_hash_digest}"
 
         # Getting cache key from request