2023-07-06 10:32:19 +02:00
|
|
|
== How to fix it in Python Standard Library
|
|
|
|
|
|
|
|
|
|
=== Code examples
|
|
|
|
|
|
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
|
|
|
|
|
|
==== Noncompliant code example
|
|
|
|
|
|
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
|
|
|
----
|
2024-03-18 09:32:06 +01:00
|
|
|
import hashlib
|
2023-07-06 10:32:19 +02:00
|
|
|
|
2024-03-18 09:32:06 +01:00
|
|
|
hash = hashlib.scrypt(password, salt=b"F3MdWpeHeeSjlUxvKBnzzA", n=2**17, r=8, p=1) # Noncompliant
|
2023-07-06 10:32:19 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
|
|
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
|
|
|
----
|
2024-03-18 09:32:06 +01:00
|
|
|
import hashlib
|
|
|
|
|
import secrets
|
2023-07-06 10:32:19 +02:00
|
|
|
|
2024-03-18 09:32:06 +01:00
|
|
|
salt = secrets.token_bytes(32)
|
|
|
|
|
hash = hashlib.scrypt(password, salt=salt, n=2**17, r=8, p=1)
|
2023-07-06 10:32:19 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
=== How does this work?
|
|
|
|
|
|
|
|
|
|
include::../../common/fix/salt.adoc[]
|
|
|
|
|
|
|
|
|
|
Here, the compliant code example ensures the salt is random and has a sufficient
|
2024-03-18 09:32:06 +01:00
|
|
|
length by calling the `secrets.token_bytes` function. This one internally uses a
|
2023-07-06 10:32:19 +02:00
|
|
|
cryptographically secure pseudo random number generator.
|
