Update md5 to sha3256

2025-12-28 02:08:29 +00:00 · 2024-10-27 18:16:03 +08:00
8 changed files with 37 additions and 13 deletions
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -0,0 +1,23 @@
+CrewAI takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organization.
+
+If you believe you have found a security vulnerability in any CrewAI product or service, please report it to us as described below.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues.
+
+To report a vulnerability, please email us at security@crewai.com.
+
+Please include the requested information listed below so that we can triage your report more quickly
+
+- Type of issue (e.g. SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue (please include screenshots if needed)
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+Once we have received your report, we will respond to you at the email address you provide. If the issue is confirmed, we will release a patch as soon as possible depending on the complexity of the issue.
+
+At this time, we are not offering a bug bounty program. Any rewards will be at our discretion.
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ rc-tests/*
 temp/*
 .vscode/*
 crew_tasks_output.json
+.dccache
--- a/src/crewai/agents/agent_builder/base_agent.py
+++ b/src/crewai/agents/agent_builder/base_agent.py
@@ -1,7 +1,7 @@
 import uuid
 from abc import ABC, abstractmethod
 from copy import copy as shallow_copy
-from hashlib import md5
+from hashlib import sha256
 from typing import Any, Dict, List, Optional, TypeVar

 from pydantic import (
@@ -181,7 +181,7 @@ class BaseAgent(ABC, BaseModel):
            self._original_goal or self.goal,
            self._original_backstory or self.backstory,
        ]
-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()

    @abstractmethod
    def execute_task(
--- a/src/crewai/crew.py
+++ b/src/crewai/crew.py
@@ -4,7 +4,7 @@ import os
 import uuid
 import warnings
 from concurrent.futures import Future
-from hashlib import md5
+from hashlib import sha256
 from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union

 from pydantic import (
@@ -388,7 +388,7 @@ class Crew(BaseModel):
        source = [agent.key for agent in self.agents] + [
            task.key for task in self.tasks
        ]
-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()

    def _setup_from_config(self):
        assert self.config is not None, "Config should not be None."
--- a/src/crewai/task.py
+++ b/src/crewai/task.py
@@ -5,7 +5,7 @@ import threading
 import uuid
 from concurrent.futures import Future
 from copy import copy
-from hashlib import md5
+from hashlib import sha256
 from typing import Any, Dict, List, Optional, Set, Tuple, Type, Union

 from opentelemetry.trace import Span
@@ -196,7 +196,7 @@ class Task(BaseModel):
        expected_output = self._original_expected_output or self.expected_output
        source = [description, expected_output]

-        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()
+        return sha256("|".join(source).encode()).hexdigest()

    def execute_async(
        self,
--- a/tests/agents/agent_builder/base_agent_test.py
+++ b/tests/agents/agent_builder/base_agent_test.py
@@ -1,4 +1,4 @@
-import hashlib
+from hashlib import sha256
 from typing import Any, List, Optional

 from crewai.agents.agent_builder.base_agent import BaseAgent
@@ -32,5 +32,5 @@ def test_key():
        goal="test goal",
        backstory="test backstory",
    )
-    hash = hashlib.md5("test role|test goal|test backstory".encode()).hexdigest()
+    hash = sha256("test role|test goal|test backstory".encode()).hexdigest()
    assert agent.key == hash
--- a/tests/crew_test.py
+++ b/tests/crew_test.py
@@ -1,6 +1,6 @@
 """Test Agent creation and execution basic functionality."""

-import hashlib
+from hashlib import sha256
 import json
 from concurrent.futures import Future
 from unittest import mock
@@ -2328,7 +2328,7 @@ def test_key():
        process=Process.sequential,
        tasks=tasks,
    )
-    hash = hashlib.md5(
+    hash = sha256(
        f"{researcher.key}|{writer.key}|{tasks[0].key}|{tasks[1].key}".encode()
    ).hexdigest()

@@ -2368,7 +2368,7 @@ def test_key_with_interpolated_inputs():
        process=Process.sequential,
        tasks=tasks,
    )
-    hash = hashlib.md5(
+    hash = sha256(
        f"{researcher.key}|{writer.key}|{tasks[0].key}|{tasks[1].key}".encode()
    ).hexdigest()

--- a/tests/task_test.py
+++ b/tests/task_test.py
@@ -1,6 +1,6 @@
 """Test Agent creation and execution basic functionality."""

-import hashlib
+from hashlib import sha256  
 import json
 import os
 from unittest.mock import MagicMock, patch
@@ -819,7 +819,7 @@ def test_key():
        description=original_description,
        expected_output=original_expected_output,
    )
-    hash = hashlib.md5(
+    hash = sha256(
        f"{original_description}|{original_expected_output}".encode()
    ).hexdigest()