Pleasing bandit

Author: Lucas-C

.banditrc.yml

@@ -1,13 +1,12 @@
 skips:
   # Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
-  # => OK, we don't care thought
+  # => OK, we don't care though
   - B101
+
   # Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.
   # cf. https://github.com/PyFPDF/fpdf2/issues/345
   - B301
-  # Use of insecure MD2, MD4, MD5, or SHA1 hash function.
-  # => the md5 module is only used to build a cache key, this is secure
-  - B303
+
   # Consider possible security implications associated with pickle module.
   # cf. https://github.com/PyFPDF/fpdf2/issues/345
   - B403

fpdf/fpdf.py

@@ -2732,11 +2732,11 @@ def image(
         if isinstance(name, str):
             img = None
         elif isinstance(name, Image.Image):
-            name, img = hashlib.md5(name.tobytes()).hexdigest(), name
+            name, img = hashlib.md5(name.tobytes()).hexdigest(), name  # nosec B303,B324 # we just build a cache key, this is secure
         elif isinstance(name, io.BytesIO):
             if _is_xml(name):
                 return self._vector_image(name, x, y, w, h, link, title, alt_text)
-            name, img = hashlib.md5(name.getvalue()).hexdigest(), name
+            name, img = hashlib.md5(name.getvalue()).hexdigest(), name  # nosec B303,B324 # we just build a cache key, this is secure
         else:
             name, img = str(name), name
         info = self.images.get(name)

fpdf/image_parsing.py

@@ -22,7 +22,7 @@ def load_image(filename):
         return filename
     # by default loading from network is allowed for all images
     if filename.startswith(("http://", "https://")):
-        with urlopen(filename) as url_file:  # nosec B310
+        with urlopen(filename) as url_file:  # nosec B310 # permitted schemes are whitelisted
             return BytesIO(url_file.read())
     elif filename.startswith("data"):
         return _decode_base64_image(filename)