fix: md5 → sha256 替换文件校验哈希算法,消除 bandit CWE-327
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
+10
-10
@@ -931,7 +931,7 @@ async def upload_zip(
|
|||||||
raise HTTPException(status_code=500, detail=f"解压失败: {e}")
|
raise HTTPException(status_code=500, detail=f"解压失败: {e}")
|
||||||
|
|
||||||
|
|
||||||
# ── Post-Push Verification (md5sum comparison) ──
|
# ── Post-Push Verification (sha256sum comparison) ──
|
||||||
|
|
||||||
@router.post("/verify")
|
@router.post("/verify")
|
||||||
async def verify_sync(
|
async def verify_sync(
|
||||||
@@ -939,10 +939,10 @@ async def verify_sync(
|
|||||||
request: Request,
|
request: Request,
|
||||||
admin: Admin = Depends(get_current_admin),
|
admin: Admin = Depends(get_current_admin),
|
||||||
):
|
):
|
||||||
"""Verify pushed files by comparing md5sums between source and target servers.
|
"""Verify pushed files by comparing sha256sums between source and target servers.
|
||||||
|
|
||||||
Walks the local source directory and computes md5 for each file,
|
Walks the local source directory and computes sha256 for each file,
|
||||||
then runs md5sum on each target server via SSH and compares.
|
then runs sha256sum on each target server via SSH and compares.
|
||||||
Returns per-server results: matched / missing / mismatched file lists.
|
Returns per-server results: matched / missing / mismatched file lists.
|
||||||
"""
|
"""
|
||||||
import asyncio
|
import asyncio
|
||||||
@@ -956,7 +956,7 @@ async def verify_sync(
|
|||||||
if not os.path.isdir(payload.source_path):
|
if not os.path.isdir(payload.source_path):
|
||||||
raise HTTPException(status_code=400, detail=f"源路径不存在: {payload.source_path}")
|
raise HTTPException(status_code=400, detail=f"源路径不存在: {payload.source_path}")
|
||||||
|
|
||||||
# Build local file manifest: {relative_path: md5hex}
|
# Build local file manifest: {relative_path: sha256hex}
|
||||||
local_files = {}
|
local_files = {}
|
||||||
for root, dirs, fnames in os.walk(payload.source_path):
|
for root, dirs, fnames in os.walk(payload.source_path):
|
||||||
for fn in fnames:
|
for fn in fnames:
|
||||||
@@ -965,7 +965,7 @@ async def verify_sync(
|
|||||||
if len(local_files) >= payload.max_files:
|
if len(local_files) >= payload.max_files:
|
||||||
break
|
break
|
||||||
try:
|
try:
|
||||||
h = hashlib.md5()
|
h = hashlib.sha256()
|
||||||
with open(full, "rb") as f:
|
with open(full, "rb") as f:
|
||||||
for chunk in iter(lambda: f.read(8192), b""):
|
for chunk in iter(lambda: f.read(8192), b""):
|
||||||
h.update(chunk)
|
h.update(chunk)
|
||||||
@@ -990,10 +990,10 @@ async def verify_sync(
|
|||||||
return
|
return
|
||||||
|
|
||||||
dest = payload.target_path or server.target_path or "/tmp/sync"
|
dest = payload.target_path or server.target_path or "/tmp/sync"
|
||||||
# Run md5sum on remote server for the same relative paths
|
# Run sha256sum on remote server for the same relative paths
|
||||||
# Build a file list for md5sum to check
|
# Build a file list for sha256sum to check
|
||||||
file_list = " ".join(shlex.quote(f) for f in local_files.keys())
|
file_list = " ".join(shlex.quote(f) for f in local_files.keys())
|
||||||
cmd = f"cd {shlex.quote(dest)} && md5sum {file_list} 2>/dev/null"
|
cmd = f"cd {shlex.quote(dest)} && sha256sum {file_list} 2>/dev/null"
|
||||||
|
|
||||||
try:
|
try:
|
||||||
r = await exec_ssh_command(server, cmd, timeout=60)
|
r = await exec_ssh_command(server, cmd, timeout=60)
|
||||||
@@ -1004,7 +1004,7 @@ async def verify_sync(
|
|||||||
}
|
}
|
||||||
return
|
return
|
||||||
|
|
||||||
# Parse md5sum output: "hash filename"
|
# Parse sha256sum output: "hash filename"
|
||||||
remote_files = {}
|
remote_files = {}
|
||||||
if r["exit_code"] == 0:
|
if r["exit_code"] == 0:
|
||||||
for line in r["stdout"].strip().split("\n"):
|
for line in r["stdout"].strip().split("\n"):
|
||||||
|
|||||||
Reference in New Issue
Block a user