From f3a1369dbcd66e7c0ecfa906be091ef2ab068cd5 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:09:23 +0800 Subject: [PATCH 1/3] Patched sqli/dao/student.py --- sqli/dao/student.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sqli/dao/student.py b/sqli/dao/student.py index d41ef885..440e5203 100644 --- a/sqli/dao/student.py +++ b/sqli/dao/student.py @@ -27,21 +27,21 @@ async def get_many(conn: Connection, limit: Optional[int] = None, q = 'SELECT id, name FROM students' params = {} if limit is not None: - q += ' LIMIT + %(limit)s ' + q += ' LIMIT %s ' params['limit'] = limit if offset is not None: - q += ' OFFSET + %(offset)s ' + q += ' OFFSET %s ' params['offset'] = offset async with conn.cursor() as cur: - await cur.execute(q, params) + await cur.execute(q, tuple(params.values())) results = await cur.fetchall() return [Student.from_raw(r) for r in results] @staticmethod async def create(conn: Connection, name: str): - q = ("INSERT INTO students (name) " - "VALUES ('%(name)s')" % {'name': name}) async with conn.cursor() as cur: - await cur.execute(q) - + await cur.execute( + "INSERT INTO students (name) VALUES (%s)", + (name,), + ) From ff3ceae1f3682f664a9919fb466d44c32467d923 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:09:23 +0800 Subject: [PATCH 2/3] Patched sqli/dao/user.py --- sqli/dao/user.py | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/sqli/dao/user.py b/sqli/dao/user.py index c663ddc3..327925f1 100644 --- a/sqli/dao/user.py +++ b/sqli/dao/user.py @@ -1,8 +1,9 @@ -from hashlib import md5 from typing import NamedTuple, Optional - from aiopg import Connection - +from cryptography.hazmat.primitives.kdf.argon2 import Argon2id +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.backends import default_backend +import os class User(NamedTuple): id: int @@ -37,5 +38,28 @@ async def get_by_username(conn: Connection, username: str): ) return User.from_raw(await cur.fetchone()) - def check_password(self, password: str): - return self.pwd_hash == md5(password.encode('utf-8')).hexdigest() + @staticmethod + def hash_password(password: str, salt: bytes) -> str: + kdf = Argon2id( + length=32, + salt=salt, + iterations=4, + memory_cost=65536, + parallelism=2, + backend=default_backend() + ) + hash = kdf.derive(password.encode('utf-8')) + return hash.hex() + + def check_password(self, password: str) -> bool: + try: + salt, hex_hash = bytes.fromhex(self.pwd_hash[:16]), self.pwd_hash[16:] + return self.hash_password(password, salt) == hex_hash + except Exception: + return False + + @staticmethod + def create_hash_for_password(password: str) -> str: + salt = os.urandom(16) + hashed = ''.join(salt.hex()) + User.hash_password(password, salt) + return hashed From c1173a0637a4dcba7c951a855c36ae3448c0ed7c Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:09:23 +0800 Subject: [PATCH 3/3] Patched sqli/static/js/materialize.js --- sqli/static/js/materialize.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sqli/static/js/materialize.js b/sqli/static/js/materialize.js index bbd91bea..881209dd 100644 --- a/sqli/static/js/materialize.js +++ b/sqli/static/js/materialize.js @@ -374,7 +374,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly var p = r[u].element;if (t || o.loop || ("none" === o.display && S.setPropertyValue(p, "display", o.display), "hidden" === o.visibility && S.setPropertyValue(p, "visibility", o.visibility)), o.loop !== !0 && (f.queue(p)[1] === a || !/\.velocityQueueEntryFlag/i.test(f.queue(p)[1])) && i(p)) { i(p).isAnimating = !1, i(p).rootPropertyValueCache = {};var d = !1;f.each(S.Lists.transforms3D, function (e, t) { var r = /^scale/.test(t) ? 1 : 0, - n = i(p).transformCache[t];i(p).transformCache[t] !== a && new RegExp("^\\(" + r + "[^.]").test(n) && (d = !0, delete i(p).transformCache[t]); + n = i(p).transformCache[t];if (i(p).transformCache[t] !== a && /^\([a-z][^.]/.test(n)) { d = !0; delete i(p).transformCache[t];} }), o.mobileHA && (d = !0, delete i(p).transformCache.translate3d), d && S.flushTransformCache(p), S.Values.removeClass(p, "velocity-animating"); }if (!t && o.complete && !o.loop && u === c - 1) try { o.complete.call(n, n); @@ -562,7 +562,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }, addClass: function (e, t) { e.classList ? e.classList.add(t) : e.className += (e.className.length ? " " : "") + t; }, removeClass: function (e, t) { - e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(new RegExp("(^|\\s)" + t.split(" ").join("|") + "(\\s|$)", "gi"), " "); + e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(/(^|\s)t(\s|$)/gi, " "); } }, getPropertyValue: function (e, r, n, o) { function s(e, r) { function n() { @@ -663,7 +663,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }l = E; } else if ("start" === A) { var E;i(o).tweensContainer && i(o).isAnimating === !0 && (E = i(o).tweensContainer), f.each(y, function (e, t) { - if (RegExp("^" + S.Lists.colors.join("$|^") + "$").test(e)) { + if (/^RED$|^GREEN$|^BLUE$/.test(e)) { var r = p(t, !0), n = r[0], o = r[1],