Skip to content

Commit 6c8a558

Browse files
shivan4030shivan4030
committed
security: Replace weak MD5 hash with SHA256 in MCPSessionManager
Replaces `hashlib.md5` with `hashlib.sha256` for session key generation in `mcp_session_manager.py` to mitigate security risks associated with weak cryptographic hashes. Updated the corresponding unit test to expect SHA256 hashes.
1 parent a893fa0 commit 6c8a558

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

src/google/adk/tools/mcp_tool/mcp_session_manager.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -278,7 +278,7 @@ def _generate_session_key(
278278
# For SSE and StreamableHTTP connections, use merged headers
279279
if merged_headers:
280280
headers_json = json.dumps(merged_headers, sort_keys=True)
281-
headers_hash = hashlib.md5(headers_json.encode()).hexdigest()
281+
headers_hash = hashlib.sha256(headers_json.encode()).hexdigest()
282282
return f'session_{headers_hash}'
283283
else:
284284
return 'session_no_headers'

tests/unittests/tools/mcp_tool/test_mcp_session_manager.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ def test_generate_session_key_sse(self):
265265

266266
# Should be deterministic hash
267267
headers_json = json.dumps(headers1, sort_keys=True)
268-
expected_hash = hashlib.md5(headers_json.encode()).hexdigest()
268+
expected_hash = hashlib.sha256(headers_json.encode()).hexdigest()
269269
assert key1 == f"session_{expected_hash}"
270270

271271
def test_merge_headers_stdio(self):

0 commit comments

Comments
 (0)