patched-codes · CTY-git · May 28, 2024 · May 28, 2024 · May 28, 2024
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,6 +10,9 @@ services:
 
   redis:
     image: redis:alpine
+    security_opt:
+      - no-new-privileges: true
+    read_only: true
 
   sqli:
     build:
@@ -22,3 +25,4 @@ services:
       - 8080:8080
     command: |
       wait-for postgres:5432 -- python run.py
+
diff --git a/sqli/dao/student.py b/sqli/dao/student.py
@@ -39,9 +39,9 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
         async with conn.cursor() as cur:
-            await cur.execute(q)
-
+            await cur.execute(
+                "INSERT INTO students (name) VALUES (%s)",
+                (name,),
+            )
 
diff --git a/sqli/dao/user.py b/sqli/dao/user.py
@@ -1,5 +1,6 @@
 from hashlib import md5
 from typing import NamedTuple, Optional
+import hashlib
 
 from aiopg import Connection
 
@@ -38,4 +39,4 @@
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        return self.pwd_hash == hashlib.scrypt(password.encode('utf-8'), salt=b'saltysalt', n=2**14, r=8, p=1).hex()