From 16524ccfa818c25bd3f4f8776ef52e667c1bdb65 Mon Sep 17 00:00:00 2001
From: Rip&Tear <84775494+theCyberTech@users.noreply.github.com>
Date: Sun, 27 Oct 2024 18:16:03 +0800
Subject: [PATCH] Update md5 to sha3256

---
 .github/SECURITY.md                           | 23 +++++++++++++++++++
 .gitignore                                    |  1 +
 src/crewai/agents/agent_builder/base_agent.py |  4 ++--
 src/crewai/crew.py                            |  4 ++--
 src/crewai/task.py                            |  4 ++--
 tests/agents/agent_builder/base_agent_test.py |  4 ++--
 tests/crew_test.py                            |  6 ++---
 tests/task_test.py                            |  4 ++--
 8 files changed, 37 insertions(+), 13 deletions(-)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 000000000..b3cd55dc4
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,23 @@
+CrewAI takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organization.
+
+If you believe you have found a security vulnerability in any CrewAI product or service, please report it to us as described below.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues.
+
+To report a vulnerability, please email us at security@crewai.com.
+
+Please include the requested information listed below so that we can triage your report more quickly
+
+- Type of issue (e.g. SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue (please include screenshots if needed)
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+Once we have received your report, we will respond to you at the email address you provide. If the issue is confirmed, we will release a patch as soon as possible depending on the complexity of the issue.
+
+At this time, we are not offering a bug bounty program. Any rewards will be at our discretion.
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index ad64db4e7..db8f88a3d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ rc-tests/*
 temp/*
 .vscode/*
 crew_tasks_output.json
+.dccache
diff --git a/src/crewai/agents/agent_builder/base_agent.py b/src/crewai/agents/agent_builder/base_agent.py
index f42ab3172..d99949358 100644
--- a/src/crewai/agents/agent_builder/base_agent.py
+++ b/src/crewai/agents/agent_builder/base_agent.py
@@ -1,7 +1,7 @@
 import uuid
 from abc import ABC, abstractmethod
 from copy import copy as shallow_copy
-from hashlib import md5
+from hashlib import sha256
 from typing import Any, Dict, List, Optional, TypeVar
 
 from pydantic import (
@@ -181,7 +181,7 @@ class BaseAgent(ABC, BaseModel):
             self._original_goal or self.goal,
             self._original_backstory or self.backstory,
         ]
-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()
 
     @abstractmethod
     def execute_task(
diff --git a/src/crewai/crew.py b/src/crewai/crew.py
index 29baa4499..8e7315eb2 100644
--- a/src/crewai/crew.py
+++ b/src/crewai/crew.py
@@ -4,7 +4,7 @@ import os
 import uuid
 import warnings
 from concurrent.futures import Future
-from hashlib import md5
+from hashlib import sha256
 from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union
 
 from pydantic import (
@@ -388,7 +388,7 @@ class Crew(BaseModel):
         source = [agent.key for agent in self.agents] + [
             task.key for task in self.tasks
         ]
-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()
 
     def _setup_from_config(self):
         assert self.config is not None, "Config should not be None."
diff --git a/src/crewai/task.py b/src/crewai/task.py
index 82baa9959..39ca864a1 100644
--- a/src/crewai/task.py
+++ b/src/crewai/task.py
@@ -5,7 +5,7 @@ import threading
 import uuid
 from concurrent.futures import Future
 from copy import copy
-from hashlib import md5
+from hashlib import sha256
 from typing import Any, Dict, List, Optional, Set, Tuple, Type, Union
 
 from opentelemetry.trace import Span
@@ -196,7 +196,7 @@ class Task(BaseModel):
         expected_output = self._original_expected_output or self.expected_output
         source = [description, expected_output]
 
-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()
 
     def execute_async(
         self,
diff --git a/tests/agents/agent_builder/base_agent_test.py b/tests/agents/agent_builder/base_agent_test.py
index 4e47f2271..6a34ad870 100644
--- a/tests/agents/agent_builder/base_agent_test.py
+++ b/tests/agents/agent_builder/base_agent_test.py
@@ -1,4 +1,4 @@
-import hashlib
+from hashlib import sha256
 from typing import Any, List, Optional
 
 from crewai.agents.agent_builder.base_agent import BaseAgent
@@ -32,5 +32,5 @@ def test_key():
         goal="test goal",
         backstory="test backstory",
     )
-    hash = hashlib.md5("test role|test goal|test backstory".encode()).hexdigest()
+    hash = sha256("test role|test goal|test backstory".encode()).hexdigest()
     assert agent.key == hash
diff --git a/tests/crew_test.py b/tests/crew_test.py
index c01e84f80..674a2929f 100644
--- a/tests/crew_test.py
+++ b/tests/crew_test.py
@@ -1,6 +1,6 @@
 """Test Agent creation and execution basic functionality."""
 
-import hashlib
+from hashlib import sha256
 import json
 from concurrent.futures import Future
 from unittest import mock
@@ -2328,7 +2328,7 @@ def test_key():
         process=Process.sequential,
         tasks=tasks,
     )
-    hash = hashlib.md5(
+    hash = sha256(
         f"{researcher.key}|{writer.key}|{tasks[0].key}|{tasks[1].key}".encode()
     ).hexdigest()
 
@@ -2368,7 +2368,7 @@ def test_key_with_interpolated_inputs():
         process=Process.sequential,
         tasks=tasks,
     )
-    hash = hashlib.md5(
+    hash = sha256(
         f"{researcher.key}|{writer.key}|{tasks[0].key}|{tasks[1].key}".encode()
     ).hexdigest()
 
diff --git a/tests/task_test.py b/tests/task_test.py
index 1e20c9491..e1f19aba7 100644
--- a/tests/task_test.py
+++ b/tests/task_test.py
@@ -1,6 +1,6 @@
 """Test Agent creation and execution basic functionality."""
 
-import hashlib
+from hashlib import sha256  
 import json
 import os
 from unittest.mock import MagicMock, patch
@@ -819,7 +819,7 @@ def test_key():
         description=original_description,
         expected_output=original_expected_output,
     )
-    hash = hashlib.md5(
+    hash = sha256(
         f"{original_description}|{original_expected_output}".encode()
     ).hexdigest()