Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added module for unix compatibility #1

Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

added module for unix compatibility #1

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0b2c774
added module for unix compatibility
Barakudum Oct 11, 2024
a507811
added library exception classes
Barakudum Oct 13, 2024
65251ed
added bcrypt
Barakudum Oct 13, 2024
b2e0d77
added bcrypt to __all__
Barakudum Oct 13, 2024
2682502
code reformat for load_bcrypt
Barakudum Oct 13, 2024
cafea26
fixed typo in comparison operator
Barakudum Oct 13, 2024
e199aba
new unix.utils
Barakudum Oct 13, 2024
437569d
code reformat
Barakudum Oct 13, 2024
8633bc6
implemented unix-loading for sha256
Barakudum Oct 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/passwordlib/exceptions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# -*- coding=utf-8 -*-
r"""

"""


__all__ = ['PasswordlibError', 'PWLibSyntaxError', 'PWLibBadPrefixError']


class PasswordlibError(Exception):
pass


class PWLibSyntaxError(PasswordlibError):
pass


class PWLibBadPrefixError(PasswordlibError):
pass
6 changes: 6 additions & 0 deletions src/passwordlib/unix/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# -*- coding=utf-8 -*-
r"""
Compatibility for the widely used unix formats
"""
from . import encrypt
from . import loading
26 changes: 26 additions & 0 deletions src/passwordlib/unix/encrypt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# -*- coding=utf-8 -*-
r"""

"""
import typing as t
from ..core import functions as fn


__all__ = ['encrypt_sha1']


BCRYPT_PREFIX: t.TypeAlias = t.Union[t.Literal[b"2a"], t.Literal[b"2b"]]


def encrypt_bcrypt(password: t.AnyStr, rounds: int = 12, prefix: BCRYPT_PREFIX = "2b") -> str:
import bcrypt
password = fn.get_password_bytes(password)
return bcrypt.hashpw(password, bcrypt.gensalt(rounds=rounds, prefix=prefix)).decode()


def encrypt_sha1(password: t.AnyStr) -> str:
from hashlib import sha1
from base64 import b64encode
password = fn.get_password_bytes(password)
hashed = sha1(password).digest()

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High

Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.

Copilot Autofix AI 6 months ago

To fix the problem, we should replace the use of the SHA-1 hashing algorithm with a stronger, more secure algorithm suitable for password hashing. One of the best options is to use the argon2 algorithm, which is designed to be computationally expensive and includes a per-password salt by default.

Steps to fix:

  1. Import the PasswordHasher class from the argon2 library.
  2. Replace the SHA-1 hashing logic with the argon2 hashing logic.
  3. Ensure that the new function maintains the same interface and functionality as the original.
Suggested changeset 2
src/passwordlib/unix/encrypt.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/passwordlib/unix/encrypt.py b/src/passwordlib/unix/encrypt.py
--- a/src/passwordlib/unix/encrypt.py
+++ b/src/passwordlib/unix/encrypt.py
@@ -22,6 +22,6 @@
 def encrypt_sha1(password: t.AnyStr) -> str:
-    from hashlib import sha1
-    from base64 import b64encode
+    from argon2 import PasswordHasher
     password = fn.get_password_bytes(password)
-    hashed = sha1(password).digest()
-    return "{SHA1}" + b64encode(hashed).decode()
+    ph = PasswordHasher()
+    hashed = ph.hash(password)
+    return hashed
EOF
@@ -22,6 +22,6 @@
def encrypt_sha1(password: t.AnyStr) -> str:
from hashlib import sha1
from base64 import b64encode
from argon2 import PasswordHasher
password = fn.get_password_bytes(password)
hashed = sha1(password).digest()
return "{SHA1}" + b64encode(hashed).decode()
ph = PasswordHasher()
hashed = ph.hash(password)
return hashed
Pipfile
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/Pipfile b/Pipfile
--- a/Pipfile
+++ b/Pipfile
@@ -8,2 +8,3 @@
 
+argon2-cffi = "^23.1.0"
 [dev-packages]
EOF
@@ -8,2 +8,3 @@

argon2-cffi = "^23.1.0"
[dev-packages]
This fix introduces these dependencies
Package Version Security advisories
argon2-cffi (pypi) 23.1.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
return "{SHA1}" + b64encode(hashed).decode()
30 changes: 30 additions & 0 deletions src/passwordlib/unix/loading.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# -*- coding=utf-8 -*-
r"""

"""
from ..core import LoadedTuple
from ..exceptions import *


__all__ = ['load_sha1']


def load_bcrypt(dump: str) -> LoadedTuple:
if dump[0] != "$": raise PWLibSyntaxError()
prefix, sep, rest = dump[1:].partition("$")
if sep is None: raise PWLibSyntaxError()
if prefix not in {"2", "2a", "2b", "2x", "2y"}: raise PWLibBadPrefixError("unknown prefix")
rounds, sep, rest = rest.partition("$")
if sep is None: raise PWLibSyntaxError()
iterations = int(rounds)
salt = rest[:22].encode() # note: salt is in a base-64 encoded format
hashed = rest[22:].encode()
return LoadedTuple(algorithm="bcrypt", iterations=iterations, salt=salt, hashed=hashed)


def load_sha1(dump: str) -> LoadedTuple:
from base64 import b64decode
if not dump.startswith("{SHA}"): raise PWLibBadPrefixError("Invalid dump format")
b64encoded = dump[6:]
hashed = b64decode(b64encoded)
return LoadedTuple(algorithm="sha1", iterations=-1, salt=b'', hashed=hashed)