From dac05107a7ca347cfa0db121ba4158ee24a29a3d Mon Sep 17 00:00:00 2001
From: stumpylog <797416+stumpylog@users.noreply.github.com>
Date: Thu, 4 Jun 2026 11:37:17 -0700
Subject: [PATCH] ruff: enable S324 (hashlib insecure hash functions)

Adds usedforsecurity=False to all hashlib.md5() calls, documenting
that these are used for file checksum comparison, not security.
The production call in _path_matches_checksum will be replaced with
compute_checksum() (SHA-256) in a separate branch.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pyproject.toml                            | 1 +
 src/documents/signals/handlers.py         | 2 +-
 src/documents/tests/test_file_handling.py | 7 +++++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 97dd6c2c5..470398ce7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -189,6 +189,7 @@ extend-select = [
   "COM",  # https://docs.astral.sh/ruff/rules/#flake8-commas-com
   "DTZ",  # https://docs.astral.sh/ruff/rules/#flake8-datetimez-dtz
   "PERF", # https://docs.astral.sh/ruff/rules/#perflint-perf
+  "S324", # https://docs.astral.sh/ruff/rules/hashlib-insecure-hash-functions/
   "DJ",   # https://docs.astral.sh/ruff/rules/#flake8-django-dj
   "EXE",  # https://docs.astral.sh/ruff/rules/#flake8-executable-exe
   "FBT",  # https://docs.astral.sh/ruff/rules/#flake8-boolean-trap-fbt
diff --git a/src/documents/signals/handlers.py b/src/documents/signals/handlers.py
index a34a3acf9..5d0ab2dd0 100644
--- a/src/documents/signals/handlers.py
+++ b/src/documents/signals/handlers.py
@@ -411,7 +411,7 @@ def _path_matches_checksum(path: Path, checksum: str | None) -> bool:
         return False
 
     with path.open("rb") as f:
-        return hashlib.md5(f.read()).hexdigest() == checksum
+        return hashlib.md5(f.read(), usedforsecurity=False).hexdigest() == checksum
 
 
 def _filename_template_uses_custom_fields(doc: Document) -> bool:
diff --git a/src/documents/tests/test_file_handling.py b/src/documents/tests/test_file_handling.py
index 308952a38..df0ea8026 100644
--- a/src/documents/tests/test_file_handling.py
+++ b/src/documents/tests/test_file_handling.py
@@ -220,8 +220,11 @@ class TestFileHandling(DirectoriesMixin, FileSystemAssertsMixin, TestCase):
         doc = Document.objects.create(
             title="document",
             mime_type="application/pdf",
-            checksum=hashlib.md5(original_bytes).hexdigest(),
-            archive_checksum=hashlib.md5(archive_bytes).hexdigest(),
+            checksum=hashlib.md5(original_bytes, usedforsecurity=False).hexdigest(),
+            archive_checksum=hashlib.md5(
+                archive_bytes,
+                usedforsecurity=False,
+            ).hexdigest(),
             filename="old/document.pdf",
             archive_filename="old/document.pdf",
             storage_path=old_storage_path,