indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Use secrets for password generation

merge-requests/30/head
Bob Mottram 2020-07-08 16:09:27 +01:00
parent 48553013f6
commit b02ddbaed0
5 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
auth.py
View File

@ -11,6 +11,7 @@ import hashlib
import binascii import binascii
import os import os
import random import random
import secrets
def hashPassword(password: str) -> str: def hashPassword(password: str) -> str:
@ -162,4 +163,4 @@ def authorize(baseDir: str, path: str, authHeader: str, debug: bool) -> bool:
def createPassword(length=10): def createPassword(length=10):
validChars = 'abcdefghijklmnopqrstuvwxyz' + \ validChars = 'abcdefghijklmnopqrstuvwxyz' + \
'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
return ''.join((random.choice(validChars) for i in range(length))) return ''.join((secrets.choice(validChars) for i in range(length)))

4
daemon.py
View File

@ -535,7 +535,7 @@ class PubServer(BaseHTTPRequestHandler):
except BaseException: except BaseException:
pass pass
if not etag: if not etag:
etag = sha1(data).hexdigest() etag = sha1(data).hexdigest() # nosec
try: try:
with open(mediaFilename + '.etag', 'w') as etagFile: with open(mediaFilename + '.etag', 'w') as etagFile:
etagFile.write(etag) etagFile.write(etag)
@ -5098,7 +5098,7 @@ class PubServer(BaseHTTPRequestHandler):
else: else:
with open(mediaFilename, 'rb') as avFile: with open(mediaFilename, 'rb') as avFile:
mediaBinary = avFile.read() mediaBinary = avFile.read()
etag = sha1(mediaBinary).hexdigest() etag = sha1(mediaBinary).hexdigest() # nosec
try: try:
with open(mediaTagFilename, 'w') as etagFile: with open(mediaTagFilename, 'w') as etagFile:
etagFile.write(etag) etagFile.write(etag)

6
media.py
View File

@ -43,10 +43,10 @@ def removeMetaData(imageFilename: str, outputFilename: str) -> None:
return return
if os.path.isfile('/usr/bin/exiftool'): if os.path.isfile('/usr/bin/exiftool'):
print('Removing metadata from ' + outputFilename + ' using exiftool') print('Removing metadata from ' + outputFilename + ' using exiftool')
os.system('exiftool -all= ' + outputFilename) os.system('exiftool -all= ' + outputFilename) # nosec
elif os.path.isfile('/usr/bin/mogrify'): elif os.path.isfile('/usr/bin/mogrify'):
print('Removing metadata from ' + outputFilename + ' using mogrify') print('Removing metadata from ' + outputFilename + ' using mogrify')
os.system('/usr/bin/mogrify -strip ' + outputFilename) os.system('/usr/bin/mogrify -strip ' + outputFilename) # nosec
def getImageHash(imageFilename: str) -> str: def getImageHash(imageFilename: str) -> str:
@ -119,7 +119,7 @@ def updateEtag(mediaFilename: str) -> None:
if not data: if not data:
return return
# calculate hash # calculate hash
etag = sha1(data).hexdigest() etag = sha1(data).hexdigest() # nosec
# save the hash # save the hash
try: try:
with open(mediaFilename + '.etag', 'w') as etagFile: with open(mediaFilename + '.etag', 'w') as etagFile:

15
person.py
View File

@ -151,13 +151,17 @@ def randomizeActorImages(personJson: {}) -> None:
personId = personJson['id'] personId = personJson['id']
lastPartOfFilename = personJson['icon']['url'].split('/')[-1] lastPartOfFilename = personJson['icon']['url'].split('/')[-1]
existingExtension = lastPartOfFilename.split('.')[1] existingExtension = lastPartOfFilename.split('.')[1]
# NOTE: these files don't need to have cryptographically
# secure names
personJson['icon']['url'] = \ personJson['icon']['url'] = \
personId + '/avatar' + str(randint(10000000000000, 99999999999999)) + \ personId + '/avatar' + \
str(randint(10000000000000, 99999999999999)) + \ # nosec
'.' + existingExtension '.' + existingExtension
lastPartOfFilename = personJson['image']['url'].split('/')[-1] lastPartOfFilename = personJson['image']['url'].split('/')[-1]
existingExtension = lastPartOfFilename.split('.')[1] existingExtension = lastPartOfFilename.split('.')[1]
personJson['image']['url'] = \ personJson['image']['url'] = \
personId + '/image' + str(randint(10000000000000, 99999999999999)) + \ personId + '/image' + \
str(randint(10000000000000, 99999999999999)) + \ # nosec
'.' + existingExtension '.' + existingExtension
@ -197,13 +201,16 @@ def createPersonBase(baseDir: str, nickname: str, domain: str, port: int,
approveFollowers = True approveFollowers = True
personType = 'Application' personType = 'Application'
# NOTE: these image files don't need to have
# cryptographically secure names
imageUrl = \ imageUrl = \
personId + '/image' + \ personId + '/image' + \
str(randint(10000000000000, 99999999999999)) + '.png' str(randint(10000000000000, 99999999999999)) + '.png' # nosec
iconUrl = \ iconUrl = \
personId + '/avatar' + \ personId + '/avatar' + \
str(randint(10000000000000, 99999999999999)) + '.png' str(randint(10000000000000, 99999999999999)) + '.png' # nosec
contextDict = { contextDict = {
'Emoji': 'toot:Emoji', 'Emoji': 'toot:Emoji',

12
utils.py
View File

@ -13,7 +13,7 @@ import datetime
import json import json
from socket import error as SocketError from socket import error as SocketError
import errno import errno
from urllib.request import urlopen import urllib.request
from pprint import pprint from pprint import pprint
from calendar import monthrange from calendar import monthrange
from followingCalendar import addPersonToCalendar from followingCalendar import addPersonToCalendar
@ -1095,10 +1095,14 @@ def siteIsActive(url: str) -> bool:
This can be used to check that an instance is online before This can be used to check that an instance is online before
trying to send posts to it. trying to send posts to it.
""" """
if not url.startswith('http'):
return False
try: try:
urlopen(url, timeout=10) req = urllib.request.Request(url)
return True with urllib.request.urlopen(req, timeout=10) as res: # nosec
# testStr = response.read()
return True
except SocketError as e: except SocketError as e:
if e.errno == errno.ECONNRESET: if e.errno == errno.ECONNRESET:
print('WARN: connection was reset during siteIsActive') print('WARN: connection was reset during siteIsActive')
return False return False