Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: pysha3 lib #12

Merged
merged 2 commits into from
Oct 31, 2023
Merged

fix: pysha3 lib #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59f6f02
fix(deprecated): lib pysha3 has reached its end of life is no longer …
olivmath Oct 31, 2023
d0c3b58
update: version, with security
olivmath Oct 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 19 additions & 11 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,27 @@

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | --------- |
| > 0.8.1 | ✅ |
| 0.7.x | ❌ |
| 0.6.x | ❌ |
| 0.5.x | ❌ |
| 0.4.x | ❌ |
| < 0.4.x | ❌ |

| Version | Supported |
| -------- | ------------------ |
| 0.4.x | ✅ |
| < 0.4.x | ✅ |
## Reporting a Vulnerability

- [x] pysha3 has deprecated, update to 0.8.1

## Reporting a Vulnerability
## Important Note Regarding Deprecation

**[Merkly]** has recently undergone a significant update. We have deprecated the use of the `pysha3` package and replaced it with the more secure and actively maintained `pycryptodome` package, starting from version 0.8.1

This update is essential for maintaining the security and reliability of our library. We strongly encourage all users to upgrade to at least version 0.8.1 or later.

If you are using an older version of the library that depends on `pysha3`, it is no longer supported and may have security vulnerabilities. We recommend updating to the latest version immediately.

Use this section to tell people how to report a vulnerability.
We take security seriously, and this update is aimed at providing a safer and more reliable library for our users.

Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.
Thank you for your understanding and cooperation.
8 changes: 6 additions & 2 deletions merkly/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"""

from typing import Callable, List, Tuple
from sha3 import keccak_256
from Crypto.Hash import keccak as cryptodome_keccak
import types


Expand Down Expand Up @@ -43,7 +43,11 @@ def keccak(data: str) -> str:
"541111248b45b7a8dc3f5579f630e74cb01456ea6ac067d3f4d793245a255155"
```
"""
return keccak_256(data.encode()).hexdigest()

keccak_256 = cryptodome_keccak.new(digest_bits=256)
keccak_256.update(data.encode())

return keccak_256.hexdigest()


def half(list_item: List[int]) -> Tuple[int, int]:
Expand Down
8 changes: 4 additions & 4 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "merkly"
version = "0.8.0"
version = "0.8.1"
description = "🌳 The simple and easy implementation of Merkle Tree"
authors = ["Lucas Oliveira <[email protected]>"]
repository = "https://github.com/olivmath/merkly.git"
Expand All @@ -16,14 +16,14 @@ keywords = [
]

[tool.poetry.dependencies]
python = "^3.8"
pysha3 = "^1.0.2"
pycryptodome = "^3.19.0"
pydantic = "^1.10.2"
coverage = "^7.2.7"
python = "^3.8"

[tool.poetry.dev-dependencies]
conventional-pre-commit = "^2.1.1"
pre-commit = "^3.0.3"
coverage = "^7.2.7"
pyclean = "^2.2.0"
pytest = "^7.2.1"
black = "^23.1.0"
Expand Down