Skip to content

Commit

Permalink
Merge pull request from GHSA-5fqv-mpj8-h7gm
Browse files Browse the repository at this point in the history
Security fix
  • Loading branch information
jtschladen authored Feb 28, 2023
2 parents f5c0c64 + 7c138d8 commit 666d853
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 24 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ Unreleased
~~~~~~~~~~~~~~~~~~~~


1.3.2 - `2023-02-24`
~~~~~~~~~~~~~~~~~~~~
This release contains a fix for a security vulnerability.

1.3.1 - `2023-02-15`
~~~~~~~~~~~~~~~~~~~~
This release contains no changes.

1.3.0 - `2023-02-13`
~~~~~~~~~~~~~~~~~~~~
This release contains many dependency updates, and numerous added or improved features over the last year.
Expand Down
10 changes: 5 additions & 5 deletions docker/src/lemur.conf.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import os.path
import random
import secrets
import string
from celery.schedules import crontab

Expand All @@ -18,10 +18,10 @@


def get_random_secret(length):
secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))


# This is the secret key used by Flask session management
Expand Down
10 changes: 5 additions & 5 deletions docs/administration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,11 @@ Basic Configuration

An example of how you might generate a random string:

>>> import random
>>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
>>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6))
>>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6))
>>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
>>> import secrets
>>> secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(6))
>>> secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(6))
>>> secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(6))
>>> secret_key = secret_key + ''.join(secrets.choice(string.digits) for x in range(6))


.. data:: LEMUR_ENCRYPTION_KEYS
Expand Down
18 changes: 9 additions & 9 deletions lemur/common/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
"""
import base64
import json
import random
import re
import secrets
import socket
import ssl
import string
Expand Down Expand Up @@ -58,19 +58,19 @@ def get_psuedo_random_string():
"""
Create a random and strongish challenge.
"""
challenge = "".join(random.choice(string.ascii_uppercase) for x in range(6)) # noqa
challenge += "".join(random.choice("~!@#$%^&*()_+") for x in range(6)) # noqa
challenge += "".join(random.choice(string.ascii_lowercase) for x in range(6))
challenge += "".join(random.choice(string.digits) for x in range(6)) # noqa
challenge = "".join(secrets.choice(string.ascii_uppercase) for x in range(6)) # noqa
challenge += "".join(secrets.choice("~!@#$%^&*()_+") for x in range(6)) # noqa
challenge += "".join(secrets.choice(string.ascii_lowercase) for x in range(6))
challenge += "".join(secrets.choice(string.digits) for x in range(6)) # noqa
return challenge


def get_random_secret(length):
""" Similar to get_pseudo_random_string, but accepts a length parameter. """
secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))


def get_state_token_secret():
Expand Down
14 changes: 9 additions & 5 deletions lemur/tests/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@

import base64
import os
import random
import secrets
import string

_basedir = os.path.abspath(os.path.dirname(__file__))


# generate random secrets for unittest
def get_random_secret(length):
secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))


THREADS_PER_PAGE = 8
Expand All @@ -26,6 +26,10 @@ def get_random_secret(length):

TESTING = True

# All the secrets below must be generated using CRYPTOGRAPHICALLY SECURE RANDOMNESS and kept private
# (ideally they would not be stored directly in this config file).
# See Lemur's documentation for more information on secret management.

# this is the secret key used by flask session management (utf8 encoded)
SECRET_KEY = get_random_secret(length=32).encode('utf8')

Expand Down

0 comments on commit 666d853

Please sign in to comment.