Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policies/password: merge hibp add zxcvbn #4001

Merged
merged 6 commits into from Nov 14, 2022
Merged

policies/password: merge hibp add zxcvbn #4001

merged 6 commits into from Nov 14, 2022

Conversation

BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 14, 2022
edited

closes #3993

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2022
View reviewed changes
authentik/policies/password/models.py
"""Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
characters of Password in request and checks if full hash is in response. Returns 0
if Password is not in result otherwise the count of how many times it was used."""
pw_hash = sha1(password.encode("utf-8")).hexdigest() # nosec

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data

[Sensitive data (password)](1) is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. [Sensitive data (password)](2) is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. [Sensitive data (password)](3) is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
@codecov
Copy link

codecov bot commented Nov 14, 2022
edited

Codecov Report

Base: 92.54% // Head: 92.54% // No change to project coverage 👍

Coverage data is based on head (ffe6f65) compared to base (ffe6f65).
Patch has no changes to coverable lines.

❗ Current head ffe6f65 differs from pull request most recent head 8a714b9. Consider uploading reports for the commit 8a714b9 to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4001   +/-   ##
=======================================
  Coverage   92.54%   92.54%           
=======================================
  Files         470      470           
  Lines       22852    22852           
=======================================
  Hits        21145    21145           
  Misses       1707     1707
Flag Coverage Δ
e2e 54.35% <0.00%> (ø)
integration 27.83% <0.00%> (ø)
unit 89.07% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@netlify
Copy link

netlify bot commented Nov 14, 2022
edited

Deploy Preview for authentik ready!

Name Link
🔨 Latest commit 8a714b9
🔍 Latest deploy log https://app.netlify.com/sites/authentik/deploys/637241ad4d72520009759816
😎 Deploy Preview https://deploy-preview-4001--authentik.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@BeryJu
initial zxcvbn
1e10ffd 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu
add api and port tests
59c3c53 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu
more tests
02b7b05 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu
add ui
9e528fa 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu
update docs
b9e9e34 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu
add api diff
8a714b9 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu BeryJu merged commit 8859407 into main Nov 14, 2022
@BeryJu BeryJu deleted the policies/password-merge branch November 14, 2022 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement a more flexible password strength check
1 participant
@BeryJu