werkzeug.security provides generate_password_hash and check_password_hash. The default method is pbkdf2:sha256 with 600_000 iterations. Findings arise when method='plain' or a weak hasher is passed explicitly.
.generate_password_hash()Sanitizerwerkzeug.security.generate_password_hash(password, method='scrypt', salt_length=16) -> str
Hashes a password. Safe with default method. Finding when method='plain'.
return.check_password_hash()Sanitizerwerkzeug.security.check_password_hash(pwhash: str, password: str) -> bool
Constant-time password verification. Safe.
return| FQN | Field | |
|---|---|---|
| werkzeug.security | fqns[0] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
from codepathfinder.go_rule import PyWerkzeugSecurity