123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247 |
- import hashlib
- import hmac
- import os
- import posixpath
- import secrets
- import typing as t
- import warnings
- if t.TYPE_CHECKING:
- pass
- SALT_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
- DEFAULT_PBKDF2_ITERATIONS = 260000
- _os_alt_seps: t.List[str] = list(
- sep for sep in [os.path.sep, os.path.altsep] if sep is not None and sep != "/"
- )
- def pbkdf2_hex(
- data: t.Union[str, bytes],
- salt: t.Union[str, bytes],
- iterations: int = DEFAULT_PBKDF2_ITERATIONS,
- keylen: t.Optional[int] = None,
- hashfunc: t.Optional[t.Union[str, t.Callable]] = None,
- ) -> str:
- """Like :func:`pbkdf2_bin`, but returns a hex-encoded string.
- :param data: the data to derive.
- :param salt: the salt for the derivation.
- :param iterations: the number of iterations.
- :param keylen: the length of the resulting key. If not provided,
- the digest size will be used.
- :param hashfunc: the hash function to use. This can either be the
- string name of a known hash function, or a function
- from the hashlib module. Defaults to sha256.
- .. deprecated:: 2.0
- Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac`
- instead.
- .. versionadded:: 0.9
- """
- warnings.warn(
- "'pbkdf2_hex' is deprecated and will be removed in Werkzeug"
- " 2.1. Use 'hashlib.pbkdf2_hmac().hex()' instead.",
- DeprecationWarning,
- stacklevel=2,
- )
- return pbkdf2_bin(data, salt, iterations, keylen, hashfunc).hex()
- def pbkdf2_bin(
- data: t.Union[str, bytes],
- salt: t.Union[str, bytes],
- iterations: int = DEFAULT_PBKDF2_ITERATIONS,
- keylen: t.Optional[int] = None,
- hashfunc: t.Optional[t.Union[str, t.Callable]] = None,
- ) -> bytes:
- """Returns a binary digest for the PBKDF2 hash algorithm of `data`
- with the given `salt`. It iterates `iterations` times and produces a
- key of `keylen` bytes. By default, SHA-256 is used as hash function;
- a different hashlib `hashfunc` can be provided.
- :param data: the data to derive.
- :param salt: the salt for the derivation.
- :param iterations: the number of iterations.
- :param keylen: the length of the resulting key. If not provided
- the digest size will be used.
- :param hashfunc: the hash function to use. This can either be the
- string name of a known hash function or a function
- from the hashlib module. Defaults to sha256.
- .. deprecated:: 2.0
- Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac`
- instead.
- .. versionadded:: 0.9
- """
- warnings.warn(
- "'pbkdf2_bin' is deprecated and will be removed in Werkzeug"
- " 2.1. Use 'hashlib.pbkdf2_hmac()' instead.",
- DeprecationWarning,
- stacklevel=2,
- )
- if isinstance(data, str):
- data = data.encode("utf8")
- if isinstance(salt, str):
- salt = salt.encode("utf8")
- if not hashfunc:
- hash_name = "sha256"
- elif callable(hashfunc):
- hash_name = hashfunc().name
- else:
- hash_name = hashfunc
- return hashlib.pbkdf2_hmac(hash_name, data, salt, iterations, keylen)
- def safe_str_cmp(a: str, b: str) -> bool:
- """This function compares strings in somewhat constant time. This
- requires that the length of at least one string is known in advance.
- Returns `True` if the two strings are equal, or `False` if they are not.
- .. deprecated:: 2.0
- Will be removed in Werkzeug 2.1. Use
- :func:`hmac.compare_digest` instead.
- .. versionadded:: 0.7
- """
- warnings.warn(
- "'safe_str_cmp' is deprecated and will be removed in Werkzeug"
- " 2.1. Use 'hmac.compare_digest' instead.",
- DeprecationWarning,
- stacklevel=2,
- )
- if isinstance(a, str):
- a = a.encode("utf-8") # type: ignore
- if isinstance(b, str):
- b = b.encode("utf-8") # type: ignore
- return hmac.compare_digest(a, b)
- def gen_salt(length: int) -> str:
- """Generate a random string of SALT_CHARS with specified ``length``."""
- if length <= 0:
- raise ValueError("Salt length must be positive")
- return "".join(secrets.choice(SALT_CHARS) for _ in range(length))
- def _hash_internal(method: str, salt: str, password: str) -> t.Tuple[str, str]:
- """Internal password hash helper. Supports plaintext without salt,
- unsalted and salted passwords. In case salted passwords are used
- hmac is used.
- """
- if method == "plain":
- return password, method
- salt = salt.encode("utf-8")
- password = password.encode("utf-8")
- if method.startswith("pbkdf2:"):
- if not salt:
- raise ValueError("Salt is required for PBKDF2")
- args = method[7:].split(":")
- if len(args) not in (1, 2):
- raise ValueError("Invalid number of arguments for PBKDF2")
- method = args.pop(0)
- iterations = int(args[0] or 0) if args else DEFAULT_PBKDF2_ITERATIONS
- return (
- hashlib.pbkdf2_hmac(method, password, salt, iterations).hex(),
- f"pbkdf2:{method}:{iterations}",
- )
- if salt:
- return hmac.new(salt, password, method).hexdigest(), method
- return hashlib.new(method, password).hexdigest(), method
- def generate_password_hash(
- password: str, method: str = "pbkdf2:sha256", salt_length: int = 16
- ) -> str:
- """Hash a password with the given method and salt with a string of
- the given length. The format of the string returned includes the method
- that was used so that :func:`check_password_hash` can check the hash.
- The format for the hashed string looks like this::
- method$salt$hash
- This method can **not** generate unsalted passwords but it is possible
- to set param method='plain' in order to enforce plaintext passwords.
- If a salt is used, hmac is used internally to salt the password.
- If PBKDF2 is wanted it can be enabled by setting the method to
- ``pbkdf2:method:iterations`` where iterations is optional::
- pbkdf2:sha256:80000$salt$hash
- pbkdf2:sha256$salt$hash
- :param password: the password to hash.
- :param method: the hash method to use (one that hashlib supports). Can
- optionally be in the format ``pbkdf2:method:iterations``
- to enable PBKDF2.
- :param salt_length: the length of the salt in letters.
- """
- salt = gen_salt(salt_length) if method != "plain" else ""
- h, actual_method = _hash_internal(method, salt, password)
- return f"{actual_method}${salt}${h}"
- def check_password_hash(pwhash: str, password: str) -> bool:
- """Check a password against a given salted and hashed password value.
- In order to support unsalted legacy passwords this method supports
- plain text passwords, md5 and sha1 hashes (both salted and unsalted).
- Returns `True` if the password matched, `False` otherwise.
- :param pwhash: a hashed string like returned by
- :func:`generate_password_hash`.
- :param password: the plaintext password to compare against the hash.
- """
- if pwhash.count("$") < 2:
- return False
- method, salt, hashval = pwhash.split("$", 2)
- return hmac.compare_digest(_hash_internal(method, salt, password)[0], hashval)
- def safe_join(directory: str, *pathnames: str) -> t.Optional[str]:
- """Safely join zero or more untrusted path components to a base
- directory to avoid escaping the base directory.
- :param directory: The trusted base directory.
- :param pathnames: The untrusted path components relative to the
- base directory.
- :return: A safe path, otherwise ``None``.
- """
- parts = [directory]
- for filename in pathnames:
- if filename != "":
- filename = posixpath.normpath(filename)
- if (
- any(sep in filename for sep in _os_alt_seps)
- or os.path.isabs(filename)
- or filename == ".."
- or filename.startswith("../")
- ):
- return None
- parts.append(filename)
- return posixpath.join(*parts)
|