mirror of
https://github.com/benbusby/whoogle-search.git
synced 2025-07-09 03:04:13 -04:00
Switch from pickle
->json
for config encoding
`pickle.loads` is insecure (and unnecessary in this context). The simpler data types of the config model can easily be serialized to json instead.
This commit is contained in:
parent
466cb63d0e
commit
223f00c3c0
@ -3,13 +3,12 @@ from typing import Optional
|
||||
from app.utils.misc import read_config_bool
|
||||
from flask import current_app
|
||||
import os
|
||||
import re
|
||||
from base64 import urlsafe_b64encode, urlsafe_b64decode
|
||||
import pickle
|
||||
from cryptography.fernet import Fernet
|
||||
import hashlib
|
||||
import brotli
|
||||
import logging
|
||||
import json
|
||||
|
||||
import cssutils
|
||||
from cssutils.css.cssstylesheet import CSSStyleSheet
|
||||
@ -62,7 +61,7 @@ class Config:
|
||||
self.anon_view = read_config_bool('WHOOGLE_CONFIG_ANON_VIEW')
|
||||
self.preferences_encrypted = read_config_bool('WHOOGLE_CONFIG_PREFERENCES_ENCRYPTED')
|
||||
self.preferences_key = os.getenv('WHOOGLE_CONFIG_PREFERENCES_KEY', '')
|
||||
|
||||
|
||||
self.accept_language = False
|
||||
|
||||
self.safe_keys = [
|
||||
@ -144,7 +143,7 @@ class Config:
|
||||
# if encryption key is not set will uncheck preferences encryption
|
||||
if self.preferences_encrypted:
|
||||
self.preferences_encrypted = bool(self.preferences_key)
|
||||
|
||||
|
||||
# add a tag for visibility if preferences token startswith 'e' it means
|
||||
# the token is encrypted, 'u' means the token is unencrypted and can be
|
||||
# used by other whoogle instances
|
||||
@ -237,35 +236,32 @@ class Config:
|
||||
return key
|
||||
|
||||
def _encode_preferences(self) -> str:
|
||||
encoded_preferences = brotli.compress(pickle.dumps(self.get_attrs()))
|
||||
if self.preferences_encrypted:
|
||||
if self.preferences_key != '':
|
||||
key = self._get_fernet_key(self.preferences_key)
|
||||
encoded_preferences = Fernet(key).encrypt(encoded_preferences)
|
||||
encoded_preferences = brotli.compress(encoded_preferences)
|
||||
preferences_json = json.dumps(self.get_attrs()).encode()
|
||||
compressed_preferences = brotli.compress(preferences_json)
|
||||
|
||||
return urlsafe_b64encode(encoded_preferences).decode()
|
||||
if self.preferences_encrypted and self.preferences_key:
|
||||
key = self._get_fernet_key(self.preferences_key)
|
||||
encrypted_preferences = Fernet(key).encrypt(compressed_preferences)
|
||||
compressed_preferences = brotli.compress(encrypted_preferences)
|
||||
|
||||
return urlsafe_b64encode(compressed_preferences).decode()
|
||||
|
||||
def _decode_preferences(self, preferences: str) -> dict:
|
||||
mode = preferences[0]
|
||||
preferences = preferences[1:]
|
||||
if mode == 'e': # preferences are encrypted
|
||||
try:
|
||||
|
||||
try:
|
||||
decoded_data = brotli.decompress(urlsafe_b64decode(preferences.encode() + b'=='))
|
||||
|
||||
if mode == 'e' and self.preferences_key:
|
||||
# preferences are encrypted
|
||||
key = self._get_fernet_key(self.preferences_key)
|
||||
decrypted_data = Fernet(key).decrypt(decoded_data)
|
||||
decoded_data = brotli.decompress(decrypted_data)
|
||||
|
||||
config = Fernet(key).decrypt(
|
||||
brotli.decompress(urlsafe_b64decode(
|
||||
preferences.encode() + b'=='))
|
||||
)
|
||||
|
||||
config = pickle.loads(brotli.decompress(config))
|
||||
except Exception:
|
||||
config = {}
|
||||
elif mode == 'u': # preferences are not encrypted
|
||||
config = pickle.loads(
|
||||
brotli.decompress(urlsafe_b64decode(
|
||||
preferences.encode() + b'=='))
|
||||
)
|
||||
else: # preferences are incorrectly formatted
|
||||
config = json.loads(decoded_data)
|
||||
except Exception:
|
||||
config = {}
|
||||
|
||||
return config
|
||||
|
||||
|
@ -4,19 +4,11 @@ from app import app
|
||||
from app.models.endpoint import Endpoint
|
||||
from app.utils.session import generate_key, valid_user_session
|
||||
|
||||
|
||||
JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \
|
||||
+ '_znXNiJWI9nLOkRLkiiFwIpeUYMTGfUF5-t9fP5DGmzDLEt04DCx703j3nPf' \
|
||||
+ '29v_RWkU7gXw_44m2oAFIaKGmYlu4Z0bKyu9k5WXfL9Dy6YKKnpcR5CiaFsG' \
|
||||
+ 'rccNRkAPYm-eYGAFUV8M59f8StsGd_M-gHKGS9fLok7EhwBWjHxBJ2Kv8hsT' \
|
||||
+ '87zftP2gMJOevTdNnezw2Y5WOx-ZotgeheCW1BYCFcRqatlov21PHp22NGVG' \
|
||||
+ '8ZuBNAFW0bE99WSdyT7dUIvzeWCLJpbdSsq-3FUUZkxbRdFYlGd8vY1UgVAp' \
|
||||
+ 'OSie2uAmpgLFXygO-VfNBBZ68Q7gAap2QtzHCiKD5cFYwH3LPgVJ-DoZvJ6k' \
|
||||
+ 'alt34TaYiJphgiqFKV4SCeVmLWTkr0SF3xakSR78yYJU_d41D2ng-TojA9XZ' \
|
||||
+ 'uR2ZqjSvPKOWvjimu89YhFOgJxG1Po8Henj5h9OL9VXXvdvlJwBSAKw1E3FV' \
|
||||
+ '7UHWiglMxPblfxqou1cYckMYkFeIMCD2SBtju68mBiQh2k328XRPTsQ_ocby' \
|
||||
+ 'cgVKnleGperqbD6crRk3Z9xE5sVCjujn9JNVI-7mqOITMZ0kntq9uJ3R5n25' \
|
||||
+ 'Vec0TJ0P19nEtvjY0nJIrIjtnBg=='
|
||||
JAPAN_PREFS = 'uG7IBICwK7FgMJNpUawp2tKDb1Omuv_euy-cJHVZ' \
|
||||
+ 'BSydthgwxRFIHxiVA8qUGavKaDXyiM5uNuPIjKbEAW-zB_vzNXWVaafFhW7k2' \
|
||||
+ 'fO2_mS5e5eK41XXWwiViTz2VVmGWje0UgQwwVPe1A7aH0s10FgARsd2xl5nlg' \
|
||||
+ 'RLHT2krPUw-iLQ5uHZSnYXFuF4caYemWcj4vqB2ocHkt-aqn04jgnnlWWME_K' \
|
||||
+ '9ySWdWmPyS66HtLt1tCwc_-xGZklvbHw=='
|
||||
|
||||
|
||||
def test_generate_user_keys():
|
||||
|
Loading…
x
Reference in New Issue
Block a user