Merge pull request #1 from shivan4030/security-fix-md5-to-sha256-10578100328635739487

shivan4030 · web-flow · commit 0f90c45c155e · 2026-03-28T10:08:44.000-07:00
🔒 [security fix] Replace MD5 with SHA256 for session key generation
diff --git a/src/google/adk/tools/mcp_tool/mcp_session_manager.py b/src/google/adk/tools/mcp_tool/mcp_session_manager.py
@@ -273,7 +273,7 @@ def _generate_session_key(
     # For SSE and StreamableHTTP connections, use merged headers
     if merged_headers:
       headers_json = json.dumps(merged_headers, sort_keys=True)
-      headers_hash = hashlib.md5(headers_json.encode()).hexdigest()
+      headers_hash = hashlib.sha256(headers_json.encode()).hexdigest()
       return f'session_{headers_hash}'
     else:
       return 'session_no_headers'
diff --git a/tests/unittests/tools/mcp_tool/test_mcp_session_manager.py b/tests/unittests/tools/mcp_tool/test_mcp_session_manager.py
@@ -222,7 +222,7 @@ def test_generate_session_key_sse(self):
 
     # Should be deterministic hash
     headers_json = json.dumps(headers1, sort_keys=True)
-    expected_hash = hashlib.md5(headers_json.encode()).hexdigest()
+    expected_hash = hashlib.sha256(headers_json.encode()).hexdigest()
     assert key1 == f"session_{expected_hash}"
 
   def test_merge_headers_stdio(self):
