Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making streamlit FIPS compliant #7526

Closed
2 tasks done
DueViktor opened this issue Oct 10, 2023 · 2 comments · Fixed by #7527
Closed
2 tasks done

Making streamlit FIPS compliant #7526

DueViktor opened this issue Oct 10, 2023 · 2 comments · Fixed by #7527
Assignees
@vdonato
Labels
area:security type:enhancement Requests for feature enhancements or new features

Comments

@DueViktor
Copy link
Contributor

Checklist

  • I have searched the existing issues for similar feature requests.
  • I added a descriptive title and summary to this issue.

Summary

The following issue and attached pull request explain and solves the problem introduced and partly solved in #7120.

The usage of streamlit with FIPS-Compliant Systems are in the current streamlit version not possible. This is caused by the usage of hashing algorithms that are proven to be unsecure.

Why?

The problem is mainly in regards to the usage of MD5 as explained in the hashlib documentation:

Warning Some algorithms have known hash collision weaknesses (including MD5 and SHA1). Refer to Attacks on cryptographic hash algorithms and the hashlib-seealso section at the end of this document.

How?

Streamlit are not using the algorithms for security purposes and can therefore easily be changed. Hashlib introduced the usedforsecurity kwarg in python 3.9 (hashlib documentation), that can easily solve the problem.

Since streamlit support python version 3.8, I'll add behaviour similar to runtime.py.

Additional Context

To be FIPS compliant, an organization must adhere to the various data security and computer system standards outlined in the Federal Information Processing Standards (FIPS).
@DueViktor DueViktor added the type:enhancement Requests for feature enhancements or new features label Oct 10, 2023
@github-actions
Copy link

To help Streamlit prioritize this feature, react with a 👍 (thumbs up emoji) to the initial post.

Your vote helps us identify which enhancements matter most to our users.

Visits

@DueViktor DueViktor mentioned this issue Oct 10, 2023
Merged
@DueViktor
Copy link
Contributor Author

This PR is similar to #7122, reviewed by @vdonato

@DueViktor DueViktor mentioned this issue Oct 26, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vdonato vdonato

Labels
area:security type:enhancement Requests for feature enhancements or new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added FIPS compliance DueViktor/streamlit
3 participants
@LukasMasuch @vdonato @DueViktor