oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

security: fix critical vulnerabilities and add security report

Browse Source 
- Fix CVE-2025-8869 and CVE-2026-1703: upgrade pip to 26.0+
- Fix MD5 hash usage: replace with SHA-256 in KYC/AML providers
- Fix subprocess shell injection: remove shell=True option
- Add comprehensive security vulnerability report
- Reduce critical vulnerabilities from 8 to 0
- Address high-severity code security issues
This commit is contained in:
aitbc
2026-04-02 23:04:49 +02:00
parent b61843c870
commit 08f3253e4e
3 changed files with 207 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cli/utils/kyc_aml_providers.py
View File

@@ -124,7 +124,7 @@ class SimpleKYCProvider:
"""Check KYC verification status"""
try:
# Mock status check - in production would call provider API
hash_val = int(hashlib.md5(request_id.encode()).hexdigest()[:8], 16)
hash_val = int(hashlib.sha256(request_id.encode()).hexdigest()[:8], 16)
if hash_val % 4 == 0:
status = KYCStatus.APPROVED
@@ -184,7 +184,7 @@ class SimpleAMLProvider:
"""Screen user for AML compliance"""
try:
# Mock AML screening - in production would call real provider
hash_val = int(hashlib.md5(f"{user_id}_{user_data.get('email', '')}".encode()).hexdigest()[:8], 16)
hash_val = int(hashlib.sha256(f"{user_id}_{user_data.get('email', '')}".encode()).hexdigest()[:8], 16)
if hash_val % 5 == 0:
risk_level = AMLRiskLevel.CRITICAL