pyskell
commented
6 years ago Thanks! I agree on both points and will need to adopt these changes.
Open usrbinsam opened 6 years ago
pyskell
commented
6 years ago Thanks! I agree on both points and will need to adopt these changes.
https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/auth.py#L48
I would not trust the randomness of this function. You should use this module instead: https://docs.python.org/3/library/secrets.html#module-secrets.
https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/auth.py#L35
This is vulnerable to a timing attack, Use a constant time comparison function or https://docs.python.org/3.6/library/hmac.html#hmac.compare_digest
https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/requirements.txt#L6
I see you listed passlib as a requirement but you aren't using it, which supports sha256_crypt and it generates a salt for you, and includes a constant time comparison function. This would solve both of the above issues.