From d299feb420bd4707fd16710653df381878aacba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Thu, 25 Apr 2019 21:55:30 +0300 Subject: [PATCH] Salt the ip address before hashing --- hc/accounts/tests/test_login.py | 4 ++-- hc/api/models.py | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/hc/accounts/tests/test_login.py b/hc/accounts/tests/test_login.py index b6fd5e97..5f7c21cf 100644 --- a/hc/accounts/tests/test_login.py +++ b/hc/accounts/tests/test_login.py @@ -50,8 +50,8 @@ class LoginTestCase(BaseTestCase): @override_settings(SECRET_KEY="test-secret") def test_it_rate_limits_ips(self): - # 4b84.... is sha1("127.0.0.1test-secret") - obj = TokenBucket(value="ip-4b84b15bff6ee5796152495a230e45e3d7e947d9") + # 60be.... is sha1("127.0.0.1test-secret") + obj = TokenBucket(value="ip-60be45f44bd9ab3805871fb1137594e708c993ff") obj.tokens = 0 obj.save() diff --git a/hc/api/models.py b/hc/api/models.py index ce131a5b..326cb636 100644 --- a/hc/api/models.py +++ b/hc/api/models.py @@ -629,8 +629,8 @@ class TokenBucket(models.Model): mailbox = mailbox.split("+")[0] email = mailbox + "@" + domain - b = (email + settings.SECRET_KEY).encode() - value = "em-%s" % hashlib.sha1(b).hexdigest() + salted_encoded = (email + settings.SECRET_KEY).encode() + value = "em-%s" % hashlib.sha1(salted_encoded).hexdigest() # 20 emails per 3600 seconds (1 hour): return TokenBucket.authorize(value, 20, 3600) @@ -640,7 +640,8 @@ class TokenBucket(models.Model): headers = request.META ip = headers.get("HTTP_X_FORWARDED_FOR", headers["REMOTE_ADDR"]) ip = ip.split(",")[0] - value = "ip-%s" % hashlib.sha1(ip.encode()).hexdigest() + salted_encoded = (ip + settings.SECRET_KEY).encode() + value = "ip-%s" % hashlib.sha1(salted_encoded).hexdigest() # 20 login attempts from a single IP per 3600 seconds (1 hour): return TokenBucket.authorize(value, 20, 3600)