Potential fix for code scanning alert no. 44: Use of a broken or weak cryptographic hashing algorithm on sensitive data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
LIghtJUNction
2026-03-19 17:40:09 +08:00
committed by GitHub
parent 201a19a63e
commit fce8069b18
2 changed files with 20 additions and 2 deletions

View File

@@ -5,6 +5,7 @@ from collections.abc import Callable
from typing import Any
import click
from argon2 import PasswordHasher, exceptions as argon2_exceptions
from astrbot.core.utils.astrbot_path import astrbot_paths
@@ -17,19 +18,35 @@ DEFAULT_DASHBOARD_PASSWORD = "astrbot"
# Note: In a full implementation, salts should be unique per password.
DASHBOARD_PASSWORD_SALT = b"astrbot-dashboard"
DASHBOARD_PASSWORD_ITERATIONS = 200_000
PASSWORD_HASHER = PasswordHasher()
def hash_dashboard_password_secure(value: str) -> str:
"""Securely hash a Dashboard password using PBKDF2-HMAC-SHA256."""
dk = hashlib.pbkdf2_hmac(
"""Hash Dashboard password for storage.
"sha256",
Uses Argon2 for new passwords to provide a computationally expensive,
salted hash suitable for password storage.
"""
return PASSWORD_HASHER.hash(value)
value.encode(),
DASHBOARD_PASSWORD_SALT,
DASHBOARD_PASSWORD_ITERATIONS,
)
return dk.hex()
"""Return True if the value looks like a supported dashboard password hash.
Supports:
- Argon2 hashes (preferred, start with "$argon2")
- Legacy SHA-256 and MD5 hexadecimal digests.
"""
# Argon2 hashes contain algorithm marker like `$argon2id$...`
if value.startswith("$argon2"):
return True
# Fallback to legacy hexadecimal digests
# Legacy default password hashes kept for backward compatibility.
DEFAULT_DASHBOARD_PASSWORD_MD5 = hashlib.md5(
DEFAULT_DASHBOARD_PASSWORD.encode()

View File

@@ -1,4 +1,5 @@
# This file was autogenerated by uv via the following command:
argon2-cffi==25.1.0
# uv export --no-hashes --output-file requirements.txt
-e .
aiocqhttp==1.4.4