Resolve "Use a HMAC instead of a hash"

2025-05-12 19:22:21 -04:00 · 2020-04-26 09:50:14 -07:00 · 2020-04-26 09:50:14 -07:00 · c301e472bd
commit c301e472bd
parent e1bac8b6a7
9 changed files with 148 additions and 91 deletions
--- a/matweb/utils.py
+++ b/matweb/utils.py
@ -12,15 +12,21 @@ def get_allow_origin_header_value():
    return os.environ.get('MAT2_ALLOW_ORIGIN_WHITELIST', '*').split(" ")


-def hash_file(filepath: str) -> str:
-    sha256 = hashlib.sha256()
+def hash_file(filepath: str, secret: str) -> str:
+    """
+    The goal of the hmac is to ONLY make the hashes unpredictable
+    :param filepath: Path of the file
+    :param secret: a server side generated secret
+    :return: digest, secret
+    """
+    mac = hmac.new(secret.encode(), None, hashlib.sha256)
    with open(filepath, 'rb') as f:
        while True:
            data = f.read(65536)  # read the file by chunk of 64k
            if not data:
                break
-            sha256.update(data)
-    return sha256.hexdigest()
+            mac.update(data)
+    return mac.hexdigest()


 def check_upload_folder(upload_folder):
@ -28,11 +34,20 @@ def check_upload_folder(upload_folder):
        os.mkdir(upload_folder)


-def return_file_created_response(output_filename, mime, key, meta, meta_after, download_link):
+def return_file_created_response(
+        output_filename: str,
+        mime: str,
+        key: str,
+        secret: str,
+        meta: list,
+        meta_after: list,
+        download_link: str
+) -> dict:
    return {
        'output_filename': output_filename,
        'mime': mime,
        'key': key,
+        'secret': secret,
        'meta': meta,
        'meta_after': meta_after,
        'download_link': download_link
@ -65,9 +80,9 @@ def cleanup(parser, filepath, upload_folder):
    parser, _ = parser_factory.get_parser(parser.output_filename)
    meta_after = parser.get_meta()
    os.remove(filepath)
-
-    key = hash_file(os.path.join(upload_folder, output_filename))
-    return key, meta_after, output_filename
+    secret = os.urandom(32).hex()
+    key = hash_file(os.path.join(upload_folder, output_filename), secret)
+    return key, secret, meta_after, output_filename


 def get_file_paths(filename, upload_folder):
@ -77,7 +92,7 @@ def get_file_paths(filename, upload_folder):
    return complete_path, filepath


-def is_valid_api_download_file(filename, key, upload_folder):
+def is_valid_api_download_file(filename: str, key: str, secret: str, upload_folder: str) -> [str, str]:
    if filename != secure_filename(filename):
        abort(400, message='Insecure filename')

@ -86,6 +101,6 @@ def is_valid_api_download_file(filename, key, upload_folder):
    if not os.path.exists(complete_path):
        abort(404, message='File not found')

-    if hmac.compare_digest(hash_file(complete_path), key) is False:
+    if hmac.compare_digest(hash_file(complete_path, secret), key) is False:
        abort(400, message='The file hash does not match')
    return complete_path, filepath