From af1e9210b9f0691425f4bc0d0ddde131db4eeaf3 Mon Sep 17 00:00:00 2001
From: Akshay Joshi <akshay.joshi@enterprisedb.com>
Date: Fri, 26 Aug 2022 18:58:16 +0530
Subject: [PATCH] Fixed some security hotspots.

---
 web/pgadmin/static/js/Explain/Graphical.jsx | 4 ++--
 web/pgadmin/utils/session.py                | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/web/pgadmin/static/js/Explain/Graphical.jsx b/web/pgadmin/static/js/Explain/Graphical.jsx
index c402e7245..59137e1de 100644
--- a/web/pgadmin/static/js/Explain/Graphical.jsx
+++ b/web/pgadmin/static/js/Explain/Graphical.jsx
@@ -66,7 +66,7 @@ PolyLine.propTypes = {
 function Multitext({currentXpos, currentYpos, label, maxWidth}) {
   const theme = useTheme();
   let abc = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
-  var xmlns = 'http://www.w3.org/2000/svg';
+  var xmlns = 'https://www.w3.org/2000/svg';
   var svgElem = document.createElementNS(xmlns, 'svg');
   svgElem.setAttributeNS(xmlns, 'height', '100%');
   svgElem.setAttributeNS(xmlns, 'width', '100%');
@@ -295,7 +295,7 @@ function PlanSVG({planData, zoomFactor, fitZoomFactor, ...props}) {
   }, [planData.width]);
 
   return (
-    <svg height={planData.height*zoomFactor} width={planData.width*zoomFactor} version="1.1" xmlns="http://www.w3.org/2000/svg">
+    <svg height={planData.height*zoomFactor} width={planData.width*zoomFactor} version="1.1" xmlns="https://www.w3.org/2000/svg">
       <defs>
         {Object.keys(props.ctx.arrows).map((arr_id, i)=>{
           let arrowPoints = [
diff --git a/web/pgadmin/utils/session.py b/web/pgadmin/utils/session.py
index 867d52586..11233b05d 100644
--- a/web/pgadmin/utils/session.py
+++ b/web/pgadmin/utils/session.py
@@ -20,7 +20,7 @@ import datetime
 import hmac
 import hashlib
 import os
-import random
+import secrets
 import string
 import time
 import config
@@ -41,7 +41,7 @@ from pgadmin.utils.ajax import make_json_response
 def _calc_hmac(body, secret):
     return base64.b64encode(
         hmac.new(
-            secret.encode(), body.encode(), hashlib.sha1
+            secret.encode(), body.encode(), hashlib.sha256
         ).digest()
     ).decode()
 
@@ -70,7 +70,8 @@ class ManagedSession(CallbackDict, SessionMixin):
         if not self.hmac_digest:
             population = string.ascii_lowercase + string.digits
 
-            self.randval = ''.join(random.sample(population, 20))
+            self.randval = ''.join(
+                secrets.choice(population) for i in range(20))
             self.hmac_digest = _calc_hmac(
                 '%s:%s' % (self.sid, self.randval), secret)