Patched /tmp/tmp_n5ibaaf/sqli/dao/user.py

patched-codes · Nov 11, 2024 · 3331e4a · 3331e4a
1 parent 63210e7
commit 3331e4a
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/sqli/dao/user.py b/sqli/dao/user.py
@@ -1,7 +1,7 @@
-from hashlib import md5
 from typing import NamedTuple, Optional
 
 from aiopg import Connection
+from cryptography.hazmat.primitives.kdf.argon2 import Argon2id
 
 
 class User(NamedTuple):
@@ -38,4 +38,6 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        kdf = Argon2id(salt=b'secure_salt')
+        pwd_hashed = kdf.derive(password.encode('utf-8'))
+        return self.pwd_hash == pwd_hashed