Use secrets for password generation

2020-07-08 16:09:27 +01:00 · 2020-07-08 16:09:27 +01:00 · b02ddbaed0
parent 48553013f6
commit b02ddbaed0
5 changed files with 26 additions and 14 deletions
--- a/auth.py
+++ b/auth.py
@ -11,6 +11,7 @@ import hashlib
 import binascii
 import os
 import random
+import secrets


 def hashPassword(password: str) -> str:
@ -162,4 +163,4 @@ def authorize(baseDir: str, path: str, authHeader: str, debug: bool) -> bool:
 def createPassword(length=10):
    validChars = 'abcdefghijklmnopqrstuvwxyz' + \
        'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
-    return ''.join((random.choice(validChars) for i in range(length)))
+    return ''.join((secrets.choice(validChars) for i in range(length)))
--- a/daemon.py
+++ b/daemon.py
@ -535,7 +535,7 @@ class PubServer(BaseHTTPRequestHandler):
            except BaseException:
                pass
        if not etag:
-            etag = sha1(data).hexdigest()
+            etag = sha1(data).hexdigest() # nosec
            try:
                with open(mediaFilename + '.etag', 'w') as etagFile:
                    etagFile.write(etag)
@ -5098,7 +5098,7 @@ class PubServer(BaseHTTPRequestHandler):
                    else:
                        with open(mediaFilename, 'rb') as avFile:
                            mediaBinary = avFile.read()
-                            etag = sha1(mediaBinary).hexdigest()
+                            etag = sha1(mediaBinary).hexdigest() # nosec
                            try:
                                with open(mediaTagFilename, 'w') as etagFile:
                                    etagFile.write(etag)
--- a/media.py
+++ b/media.py
@ -43,10 +43,10 @@ def removeMetaData(imageFilename: str, outputFilename: str) -> None:
        return
    if os.path.isfile('/usr/bin/exiftool'):
        print('Removing metadata from ' + outputFilename + ' using exiftool')
-        os.system('exiftool -all= ' + outputFilename)
+        os.system('exiftool -all= ' + outputFilename) # nosec
    elif os.path.isfile('/usr/bin/mogrify'):
        print('Removing metadata from ' + outputFilename + ' using mogrify')
-        os.system('/usr/bin/mogrify -strip ' + outputFilename)
+        os.system('/usr/bin/mogrify -strip ' + outputFilename) # nosec


 def getImageHash(imageFilename: str) -> str:
@ -119,7 +119,7 @@ def updateEtag(mediaFilename: str) -> None:
    if not data:
        return
    # calculate hash
-    etag = sha1(data).hexdigest()
+    etag = sha1(data).hexdigest() # nosec
    # save the hash
    try:
        with open(mediaFilename + '.etag', 'w') as etagFile:
--- a/person.py
+++ b/person.py
@ -151,13 +151,17 @@ def randomizeActorImages(personJson: {}) -> None:
    personId = personJson['id']
    lastPartOfFilename = personJson['icon']['url'].split('/')[-1]
    existingExtension = lastPartOfFilename.split('.')[1]
+    # NOTE: these files don't need to have cryptographically
+    # secure names
    personJson['icon']['url'] = \
-        personId + '/avatar' + str(randint(10000000000000, 99999999999999)) + \
+        personId + '/avatar' + \
+        str(randint(10000000000000, 99999999999999)) + \ # nosec
        '.' + existingExtension
    lastPartOfFilename = personJson['image']['url'].split('/')[-1]
    existingExtension = lastPartOfFilename.split('.')[1]
    personJson['image']['url'] = \
-        personId + '/image' + str(randint(10000000000000, 99999999999999)) + \
+        personId + '/image' + \
+        str(randint(10000000000000, 99999999999999)) + \ # nosec
        '.' + existingExtension


@ -197,13 +201,16 @@ def createPersonBase(baseDir: str, nickname: str, domain: str, port: int,
        approveFollowers = True
        personType = 'Application'

+    # NOTE: these image files don't need to have
+    # cryptographically secure names
+
    imageUrl = \
        personId + '/image' + \
-        str(randint(10000000000000, 99999999999999)) + '.png'
+        str(randint(10000000000000, 99999999999999)) + '.png' # nosec

    iconUrl = \
        personId + '/avatar' + \
-        str(randint(10000000000000, 99999999999999)) + '.png'
+        str(randint(10000000000000, 99999999999999)) + '.png' # nosec

    contextDict = {
        'Emoji': 'toot:Emoji',
--- a/utils.py
+++ b/utils.py
@ -13,7 +13,7 @@ import datetime
 import json
 from socket import error as SocketError
 import errno
-from urllib.request import urlopen
+import urllib.request
 from pprint import pprint
 from calendar import monthrange
 from followingCalendar import addPersonToCalendar
@ -1095,10 +1095,14 @@ def siteIsActive(url: str) -> bool:
    This can be used to check that an instance is online before
    trying to send posts to it.
    """
+    if not url.startswith('http'):
+        return False
    try:
-        urlopen(url, timeout=10)
-        return True
+        req = urllib.request.Request(url)
+        with urllib.request.urlopen(req, timeout=10) as res: # nosec
+            # testStr = response.read()
+            return True
    except SocketError as e:
        if e.errno == errno.ECONNRESET:
            print('WARN: connection was reset during siteIsActive')
-        return False
+    return False