rossem / redditstorage Goto Github PK

Reddit wasn't meant for this, It's against their TOS I am sure.

In requirements, you say crypt.py is required, but actually it's pycrypto. Should change that to avoid confusion.

Also you should do a pip freeze > requirements.txt and put it in the folder.

1. You're using the sha256 hash of a user-supplied password as a key
   

   RedditStorage/crypt.py

   Line 13 in 785289b

   self.key = hashlib.sha256(key).digest() #turns the password into a 32char long key

This is bad because:

• sha256 is a fast hash, meaning an attacker can brute-force this algo quicker

You should use instead:

• argon2i, scrypt, bcrypt or pbkdf2

2. you're using Random.new for the IV
   

   RedditStorage/crypt.py

   Line 28 in 785289b

   iv = Random.new().read(AES.block_size)

This is bad because:

• Random isn't a CSPRNG, and uses a predictable MT algo.
• Each fresh invocation of this script will generate the same IVs

You should use instead:

import os
iv = os.urandom(AES.block_size)

This uses the OS's CSPRNG (/dev/urandom on Linux, CryptGenRandom() on Windows)

3. You have no MAC on the encryption

This is bad because:

• Without a MAC, an attacker can manipulate your crypto (doubly true as you're using CBC)
• Without a MAC you can't ensure that the data you upload is the data you download (both from authentication reasons and data corruption reasons)

You should use instead:

• Since PyCrypto 2.6.1 lacks any AEAD AES types (Basically there's no AES_GCM), you'll have to use HMAC.new from Crypto.Hash import HMAC
• Make sure you encrypt-then-mac
• Make sure you check the MAC before you decrypt anything; discard any encrypted data that fails the MAC check (and do this in a timing-safe way)

Summary:

It looks like the crypto code is copied from various places. This is fine if you have enough crypto-know-how to separate the wheat from the chaff, but in cases where people don't, they make bad choices like the above.

You can fix all of these in a really simple manner:

Use pynacl: https://pynacl.readthedocs.io/en/stable/

Remember: even if you don't maintain it anymore, crypto code that is broken that other people can use means that other people will assume it's fine to use, meaning more projects have insecure python cryptography.

I installed wxPython from the software repositories, and I checked the version it was 2.8. Then when I started it gave me the following error message

:0: UserWarning: The keyword `bot` in your user_agent may be problematic.
Traceback (most recent call last):
  File "RedditStorage.py", line 477, in <module>
    MainWindow(None, title='subreddit')
  File "RedditStorage.py", line 398, in __init__
    notebook = MainNotebook(panel)
  File "RedditStorage.py", line 365, in __init__
    self.InitUI()
  File "RedditStorage.py", line 371, in InitUI
    tabTwo = GetPanel(self)
  File "RedditStorage.py", line 225, in __init__
    pub.subscribe(self.fileListener, "fileListener")
AttributeError: 'module' object has no attribute 'subscribe'

I tried importing pub from the python interpreter as

from wx.lib.pubsub import pub

and it did import, but there was indeed no subscribe module, it gave me an AttributeError.

I looked through the documentation and found this page: pubsub

By following the instructions there, I could easily change the code and make everything work. The change is just two lines of code as follows,

from wx.lib.pubsub import Publisher
pub = Publisher()

This change should work.

Also, why am I having this problem? Is my version too old? Do I need to upgrade 3.0?
I can submit a pull request if this is a real issue and not just a problem with my machine.

What about adding a command line interface? Most of the functionality is already done, so making a cli app from this should be easy.

Steps to reproduce:

1. Implement RedditStorage, or make use of it at scale.
2. Examine oneself via a plane mirror.

Expected behavior

Image in mirror is of a person and not of a monster.

Actual behavior

Image in mirror is a monster, albeit a cool and clever one.