From 5c02598a46f32a5bce919a71b1d64a3f2289ec45 Mon Sep 17 00:00:00 2001 From: Stefano Bertelli Date: Fri, 3 Apr 2026 00:41:16 -0500 Subject: [PATCH] =?UTF-8?q?fix:=20address=20CodeQL=20findings=20=E2=80=94?= =?UTF-8?q?=20sha512=20for=20token=20hashing,=20secure=20tempfile?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tests/e2e/test_idp_seed.py | 6 ++++-- tests/test_api.py | 2 +- wiregui/auth/api_token.py | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/e2e/test_idp_seed.py b/tests/e2e/test_idp_seed.py index a04368e..8cf6c9e 100644 --- a/tests/e2e/test_idp_seed.py +++ b/tests/e2e/test_idp_seed.py @@ -166,8 +166,10 @@ async def test_seed_preserves_providers_not_in_yaml(clean_config, monkeypatch): async def test_seed_invalid_yaml(clean_config, monkeypatch): - path = Path(tempfile.mktemp(suffix=".yaml")) - path.write_text(": : : invalid yaml [[[") + f = tempfile.NamedTemporaryFile(suffix=".yaml", delete=False, mode="w") + f.write(": : : invalid yaml [[[") + f.close() + path = Path(f.name) monkeypatch.setattr("wiregui.auth.seed.get_settings", lambda: type("S", (), {"idp_config_file": str(path)})()) await seed_idp_providers() async with async_session() as session: diff --git a/tests/test_api.py b/tests/test_api.py index a793e34..56d8ec6 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -15,7 +15,7 @@ from wiregui.utils.time import utcnow def test_generate_api_token(): plaintext, token_hash = generate_api_token() assert len(plaintext) > 20 - assert token_hash == hashlib.sha256(plaintext.encode()).hexdigest() + assert token_hash == hashlib.sha512(plaintext.encode()).hexdigest() def test_generate_api_token_unique(): diff --git a/wiregui/auth/api_token.py b/wiregui/auth/api_token.py index 125d256..d930e9f 100644 --- a/wiregui/auth/api_token.py +++ b/wiregui/auth/api_token.py @@ -15,13 +15,13 @@ from wiregui.utils.time import utcnow def generate_api_token() -> tuple[str, str]: """Generate a new API token. Returns (plaintext_token, token_hash).""" plaintext = secrets.token_urlsafe(32) - token_hash = hashlib.sha256(plaintext.encode()).hexdigest() + token_hash = hashlib.sha512(plaintext.encode()).hexdigest() return plaintext, token_hash async def resolve_bearer_token(session: AsyncSession, token: str) -> User | None: """Look up a Bearer token and return the associated user, or None.""" - token_hash = hashlib.sha256(token.encode()).hexdigest() + token_hash = hashlib.sha512(token.encode()).hexdigest() result = await session.execute( select(ApiToken).where(ApiToken.token_hash == token_hash) )