Skip to content
This repository has been archived by the owner on May 26, 2021. It is now read-only.

Secret key must be unique and secret for every installation. #61

Merged
merged 3 commits into from
Nov 17, 2020
Merged

Secret key must be unique and secret for every installation. #61

merged 3 commits into from
Nov 17, 2020

Conversation

emorozov
Copy link
Collaborator

@emorozov emorozov commented Nov 9, 2020

Current implementation uses same open SECRET_KEY for all installations. This creates a severe vulnerability.

According to the documentation, changing the secret key will invalidate:

  • All sessions if you are using any other session backend than django.contrib.sessions.backends.cache, or are using the default get_session_auth_hash().
  • All messages if you are using CookieStorage or FallbackStorage.
  • All PasswordResetView tokens.
  • Any usage of cryptographic signing, unless a different key is provided.

@codecov
Copy link

codecov bot commented Nov 9, 2020
edited
Loading

Codecov Report

Merging #61 (5ec6014) into develop (9e0eeef) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop      #61   +/-   ##
========================================
  Coverage    98.31%   98.31%           
========================================
  Files            5        5           
  Lines          119      119           
  Branches         4        4           
========================================
  Hits           117      117           
  Misses           2        2
Impacted Files Coverage Δ
parrot/settings.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9e0eeef...5ec6014. Read the comment docs.

@lowitea lowitea self-requested a review November 9, 2020 21:52
@lowitea lowitea added this to the 0.1.6 milestone Nov 9, 2020
lowitea
lowitea reviewed Nov 9, 2020
View reviewed changes
parrot/settings.py Outdated Show resolved Hide resolved
@lowitea lowitea added the security Pull requests that address a security vulnerability label Nov 17, 2020
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@lowitea lowitea merged commit 1b337b4 into develop Nov 17, 2020
@lowitea lowitea deleted the secret-key-fix branch November 17, 2020 22:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lowitea lowitea lowitea approved these changes

Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
0.1.6
Development

Successfully merging this pull request may close these issues.
2 participants
@emorozov @lowitea