From c4bb97a873a67a49797f156902f0b3a851c6092b Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:07:08 +0800
Subject: [PATCH 1/3] Patched docker-compose.yml

---
 docker-compose.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1b3e2a84..808bed96 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,6 +10,9 @@ services:
 
   redis:
     image: redis:alpine
+    security_opt:
+      - no-new-privileges: true
+    read_only: true
 
   sqli:
     build:
@@ -22,3 +25,4 @@ services:
       - 8080:8080
     command: |
       wait-for postgres:5432 -- python run.py
+

From 79ce079ed2db014c7b1554bb0384efb4ba6c6f0c Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:07:08 +0800
Subject: [PATCH 2/3] Patched sqli/dao/user.py

---
 sqli/dao/user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sqli/dao/user.py b/sqli/dao/user.py
index c663ddc3..e53b1b50 100644
--- a/sqli/dao/user.py
+++ b/sqli/dao/user.py
@@ -1,5 +1,6 @@
 from hashlib import md5
 from typing import NamedTuple, Optional
+import hashlib
 
 from aiopg import Connection
 
@@ -38,4 +39,4 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        return self.pwd_hash == hashlib.scrypt(password.encode('utf-8'), salt=b'saltysalt', n=2**14, r=8, p=1).hex()

From d96c33b8f6da532e23ec16bd498d1358299d9911 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:07:08 +0800
Subject: [PATCH 3/3] Patched sqli/dao/student.py

---
 sqli/dao/student.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sqli/dao/student.py b/sqli/dao/student.py
index d41ef885..e6ee0dcd 100644
--- a/sqli/dao/student.py
+++ b/sqli/dao/student.py
@@ -39,9 +39,9 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
         async with conn.cursor() as cur:
-            await cur.execute(q)
-
+            await cur.execute(
+                "INSERT INTO students (name) VALUES (%s)",
+                (name,),
+            )