Security and code quality improvements. #620
Conversation
1. Removed and sorted imports with `isort`, code formatted with `black`. 2. Instead of hashing a random value with SHA1, I utilized `secrets.token_hex(20)` to streamline the code and reduce unnecessary computational overhead. If hashing is still preferred, I recommend using `hashlib.blake2b()` with `digest_size=20`, as it is faster and more secure than SHA1, especially on 64-bit platforms. 3. I enhanced variable names for better clarity in several instances. 4. Replaced unnecessary concatenation with f-strings to make the code more readable and efficient. 5. I have ensured proper data types are used in the entire code. I also propose using static typing with type hints; I will be happy to raise a pull request for this as well :D 6. Used short-circuit conditions to improve performance by allowing for early exits in conditional checks. 7. Instead of loading entire files into memory to determine their sizes, I've used `file.tell()` for efficiency reasons. I also made sure it is returned to the original file pointer over resetting back to 0, which should ensure WTF works everywhere. 8. Improved HTML formatting in `recaptcha/widgets.py`. Signed-off-by: Ari Archer <[email protected]>
Signed-off-by: Ari Archer <[email protected]>
|
I hope you learned something good and new! LGTM |
Signed-off-by: Ari Archer <[email protected]>
|
Thanks for your interest. However, please read https://davidism.com/school-assignment-open-source/ and pass on the link to your instructor. This is a bunch of unconnected changes with no discussion first. Many of the changes are not "better", just "different". We generally don't accept "code quality improvements" from unknown contributors, as it's usually just busywork for the maintainers. |
|
If you're looking for what to contribute, see the list of open issues: https://github.com/pallets-eco/flask-wtf/issues. |
Thanks for taking the time to review this PR anyway :) |
Hello Flask-WTF Developers,
As a high school student currently involved with the Research School project, I am researching secure programming practices, code quality, and generally "good programming" in relation to security. I am currently done with the research part, and I am trying to apply my findings and research to open source projects, such as this one.
Why Flask-WTF? The Flask-WTF extension plays an important role in the Flask ecosystem. Specifically, in security issues and backend code tidiness. The students who have submitted their code to the project (their code isn't available in the repo due to licensing things) used Flask-WTF to improve their code, thus, thought why not contribute :D
I did a few improvements that I would like to propose:
isort, code formatted withblack.secrets.token_hex(20)to streamline the code and reduce unnecessary computational overhead. If hashing is still preferred, I recommend usinghashlib.blake2b()withdigest_size=20, as it is faster and more secure than SHA1, especially on 64-bit platforms.file.tell()for efficiency reasons. I also made sure it is returned to the original file pointer over resetting back to 0, which should ensure WTF works everywhere.recaptcha/widgets.py.Before making this PR I have run the tests to ensure I haven't broken anything.
Thank you for reviewing my pull request. I look forward to hearing your feedback <3
Checklist:
docs/changes.rstsummarizing the change and linking to the issue. Add.. versionchanged::entries in any relevant code docs.