From b02ddbaed0b3601ea388cddaad8d39a9b8003f97 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Wed, 8 Jul 2020 16:09:27 +0100
Subject: [PATCH] Use secrets for password generation

---
 auth.py   |  3 ++-
 daemon.py |  4 ++--
 media.py  |  6 +++---
 person.py | 15 +++++++++++----
 utils.py  | 12 ++++++++----
 5 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/auth.py b/auth.py
index 8f162e429..9fad6de20 100644
--- a/auth.py
+++ b/auth.py
@@ -11,6 +11,7 @@ import hashlib
 import binascii
 import os
 import random
+import secrets
 
 
 def hashPassword(password: str) -> str:
@@ -162,4 +163,4 @@ def authorize(baseDir: str, path: str, authHeader: str, debug: bool) -> bool:
 def createPassword(length=10):
     validChars = 'abcdefghijklmnopqrstuvwxyz' + \
         'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
-    return ''.join((random.choice(validChars) for i in range(length)))
+    return ''.join((secrets.choice(validChars) for i in range(length)))
diff --git a/daemon.py b/daemon.py
index 53a9ae6a0..b24a0ddc7 100644
--- a/daemon.py
+++ b/daemon.py
@@ -535,7 +535,7 @@ class PubServer(BaseHTTPRequestHandler):
             except BaseException:
                 pass
         if not etag:
-            etag = sha1(data).hexdigest()
+            etag = sha1(data).hexdigest() # nosec
             try:
                 with open(mediaFilename + '.etag', 'w') as etagFile:
                     etagFile.write(etag)
@@ -5098,7 +5098,7 @@ class PubServer(BaseHTTPRequestHandler):
                     else:
                         with open(mediaFilename, 'rb') as avFile:
                             mediaBinary = avFile.read()
-                            etag = sha1(mediaBinary).hexdigest()
+                            etag = sha1(mediaBinary).hexdigest() # nosec
                             try:
                                 with open(mediaTagFilename, 'w') as etagFile:
                                     etagFile.write(etag)
diff --git a/media.py b/media.py
index e811fe60e..dcc6ca9e5 100644
--- a/media.py
+++ b/media.py
@@ -43,10 +43,10 @@ def removeMetaData(imageFilename: str, outputFilename: str) -> None:
         return
     if os.path.isfile('/usr/bin/exiftool'):
         print('Removing metadata from ' + outputFilename + ' using exiftool')
-        os.system('exiftool -all= ' + outputFilename)
+        os.system('exiftool -all= ' + outputFilename) # nosec
     elif os.path.isfile('/usr/bin/mogrify'):
         print('Removing metadata from ' + outputFilename + ' using mogrify')
-        os.system('/usr/bin/mogrify -strip ' + outputFilename)
+        os.system('/usr/bin/mogrify -strip ' + outputFilename) # nosec
 
 
 def getImageHash(imageFilename: str) -> str:
@@ -119,7 +119,7 @@ def updateEtag(mediaFilename: str) -> None:
     if not data:
         return
     # calculate hash
-    etag = sha1(data).hexdigest()
+    etag = sha1(data).hexdigest() # nosec
     # save the hash
     try:
         with open(mediaFilename + '.etag', 'w') as etagFile:
diff --git a/person.py b/person.py
index 3db66c57b..eab69cd8b 100644
--- a/person.py
+++ b/person.py
@@ -151,13 +151,17 @@ def randomizeActorImages(personJson: {}) -> None:
     personId = personJson['id']
     lastPartOfFilename = personJson['icon']['url'].split('/')[-1]
     existingExtension = lastPartOfFilename.split('.')[1]
+    # NOTE: these files don't need to have cryptographically
+    # secure names
     personJson['icon']['url'] = \
-        personId + '/avatar' + str(randint(10000000000000, 99999999999999)) + \
+        personId + '/avatar' + \
+        str(randint(10000000000000, 99999999999999)) + \ # nosec
         '.' + existingExtension
     lastPartOfFilename = personJson['image']['url'].split('/')[-1]
     existingExtension = lastPartOfFilename.split('.')[1]
     personJson['image']['url'] = \
-        personId + '/image' + str(randint(10000000000000, 99999999999999)) + \
+        personId + '/image' + \
+        str(randint(10000000000000, 99999999999999)) + \ # nosec
         '.' + existingExtension
 
 
@@ -197,13 +201,16 @@ def createPersonBase(baseDir: str, nickname: str, domain: str, port: int,
         approveFollowers = True
         personType = 'Application'
 
+    # NOTE: these image files don't need to have
+    # cryptographically secure names
+
     imageUrl = \
         personId + '/image' + \
-        str(randint(10000000000000, 99999999999999)) + '.png'
+        str(randint(10000000000000, 99999999999999)) + '.png' # nosec
 
     iconUrl = \
         personId + '/avatar' + \
-        str(randint(10000000000000, 99999999999999)) + '.png'
+        str(randint(10000000000000, 99999999999999)) + '.png' # nosec
 
     contextDict = {
         'Emoji': 'toot:Emoji',
diff --git a/utils.py b/utils.py
index cf8ad07d5..69a882f48 100644
--- a/utils.py
+++ b/utils.py
@@ -13,7 +13,7 @@ import datetime
 import json
 from socket import error as SocketError
 import errno
-from urllib.request import urlopen
+import urllib.request
 from pprint import pprint
 from calendar import monthrange
 from followingCalendar import addPersonToCalendar
@@ -1095,10 +1095,14 @@ def siteIsActive(url: str) -> bool:
     This can be used to check that an instance is online before
     trying to send posts to it.
     """
+    if not url.startswith('http'):
+        return False
     try:
-        urlopen(url, timeout=10)
-        return True
+        req = urllib.request.Request(url)
+        with urllib.request.urlopen(req, timeout=10) as res: # nosec
+            # testStr = response.read()
+            return True
     except SocketError as e:
         if e.errno == errno.ECONNRESET:
             print('WARN: connection was reset during siteIsActive')
-        return False
+    return False