SNOW-2743401: added usedforsecurity argument to md5 hash for multipart upload (snowflakedb#2647)

sfc-gh-fpawlowski · web-flow · commit 1680c6cb50b5 · 2025-11-17T14:14:24.000+01:00
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -335,7 +335,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        cloud-provider: [aws]
+        cloud-provider: [aws, azure, gcp]
     steps:
       - uses: actions/checkout@v4
       - name: Setup parameters file
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -15,6 +15,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
   - Added no_proxy parameter for proxy configuration without using environmental variables.
   - Added OAUTH_AUTHORIZATION_CODE and OAUTH_CLIENT_CREDENTIALS to list of authenticators that don't require user to be set
   - Added `oauth_socket_uri` connection parameter allowing to separate server and redirect URIs for local OAuth server.
+  - Fixed FIPS environments md5 hash isues with multipart upload on Azure.
 
 - v4.0.0(October 09,2025)
   - Added support for checking certificates revocation using revocation lists (CRLs)
diff --git a/src/snowflake/connector/azure_storage_client.py b/src/snowflake/connector/azure_storage_client.py
@@ -14,7 +14,7 @@
 from .constants import FileHeader, ResultStatus
 from .encryption_util import EncryptionMetadata
 from .storage_client import SnowflakeStorageClient
-from .util_text import get_md5
+from .util_text import get_md5_for_integrity
 from .vendored import requests
 
 if TYPE_CHECKING:  # pragma: no cover
@@ -241,9 +241,9 @@ def _complete_multipart_upload(self) -> None:
                 fd.close()
         headers = {
             "x-ms-blob-content-encoding": "utf-8",
-            "x-ms-blob-content-md5": base64.b64encode(get_md5(file_content)).decode(
-                "utf-8"
-            ),
+            "x-ms-blob-content-md5": base64.b64encode(
+                get_md5_for_integrity(file_content)
+            ).decode("utf-8"),
         }
         azure_metadata = self._prepare_file_metadata()
         headers.update(azure_metadata)
diff --git a/src/snowflake/connector/util_text.py b/src/snowflake/connector/util_text.py
@@ -293,9 +293,11 @@ def _base64_bytes_to_str(x) -> str | None:
     return base64.b64encode(x).decode("utf-8") if x else None
 
 
-def get_md5(text: str | bytes) -> bytes:
+def get_md5_for_integrity(text: str | bytes) -> bytes:
+    # MD5 should not be used for security reasons - only integrity is safe and allowed
     if isinstance(text, str):
         text = text.encode("utf-8")
-    md5 = hashlib.md5()
+    # Usedforsecurity=False added to support FIPS envs as well
+    md5 = hashlib.md5(usedforsecurity=False)
     md5.update(text)
     return md5.digest()
