Patched /tmp/tmp3m3ecsfc/sqli/dao/user.py

sqli/dao/user.py

@@ -1,7 +1,9 @@
-from hashlib import md5
 from typing import NamedTuple, Optional
-
 from aiopg import Connection
+from cryptography.hazmat.primitives.kdf.argon2 import Argon2id
+from cryptography.hazmat.primitives.kdf.argon2 import Parameters
+from cryptography.hazmat.backends import default_backend
+from os import urandom
 
 
 class User(NamedTuple):
@@ -10,7 +12,7 @@ class User(NamedTuple):
     middle_name: Optional[str]
     last_name: str
     username: str
-    pwd_hash: str
+    pwd_hash: bytes  # Changed to bytes to accommodate Argon2id
     is_admin: bool
 
     @classmethod
@@ -38,4 +40,28 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        salt = self.pwd_hash[:16]  # Assuming the first 16 bytes are the salt
+        kdf = Argon2id(
+            salt=salt,
+            length=32,
+            time_cost=3,
+            memory_cost=1024 * 64,
+            parallelism=2,
+            backend=default_backend()
+        )
+        pwd_hash = kdf.derive(password.encode('utf-8'))
+        return self.pwd_hash == salt + pwd_hash
+
+    @staticmethod
+    def hash_password(password: str) -> bytes:
+        salt = urandom(16)  # Generate a random salt
+        kdf = Argon2id(
+            salt=salt,
+            length=32,
+            time_cost=3,
+            memory_cost=1024 * 64,
+            parallelism=2,
+            backend=default_backend()
+        )
+        pwd_hash = kdf.derive(password.encode('utf-8'))
+        return salt + pwd_hash