diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 829931a5fd..6aa6593348 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,14 @@ Unreleased ~~~~~~~~~~~~~~~~~~~~ +1.3.2 - `2023-02-24` +~~~~~~~~~~~~~~~~~~~~ +This release contains a fix for a security vulnerability. + +1.3.1 - `2023-02-15` +~~~~~~~~~~~~~~~~~~~~ +This release contains no changes. + 1.3.0 - `2023-02-13` ~~~~~~~~~~~~~~~~~~~~ This release contains many dependency updates, and numerous added or improved features over the last year. diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index da2e8491ea..02974437c2 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -1,5 +1,5 @@ import os.path -import random +import secrets import string from celery.schedules import crontab @@ -18,10 +18,10 @@ def get_random_secret(length): - secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4))) - return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4))) + secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4))) + return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4))) # This is the secret key used by Flask session management diff --git a/docs/administration.rst b/docs/administration.rst index 7c1917df1a..05f649c535 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -143,11 +143,11 @@ Basic Configuration An example of how you might generate a random string: - >>> import random - >>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6)) - >>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6)) - >>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6)) - >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6)) + >>> import secrets + >>> secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(6)) + >>> secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(6)) + >>> secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(6)) + >>> secret_key = secret_key + ''.join(secrets.choice(string.digits) for x in range(6)) .. data:: LEMUR_ENCRYPTION_KEYS diff --git a/lemur/common/utils.py b/lemur/common/utils.py index 2f6baade7b..9f684feb0b 100644 --- a/lemur/common/utils.py +++ b/lemur/common/utils.py @@ -8,8 +8,8 @@ """ import base64 import json -import random import re +import secrets import socket import ssl import string @@ -58,19 +58,19 @@ def get_psuedo_random_string(): """ Create a random and strongish challenge. """ - challenge = "".join(random.choice(string.ascii_uppercase) for x in range(6)) # noqa - challenge += "".join(random.choice("~!@#$%^&*()_+") for x in range(6)) # noqa - challenge += "".join(random.choice(string.ascii_lowercase) for x in range(6)) - challenge += "".join(random.choice(string.digits) for x in range(6)) # noqa + challenge = "".join(secrets.choice(string.ascii_uppercase) for x in range(6)) # noqa + challenge += "".join(secrets.choice("~!@#$%^&*()_+") for x in range(6)) # noqa + challenge += "".join(secrets.choice(string.ascii_lowercase) for x in range(6)) + challenge += "".join(secrets.choice(string.digits) for x in range(6)) # noqa return challenge def get_random_secret(length): """ Similar to get_pseudo_random_string, but accepts a length parameter. """ - secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4))) - return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4))) + secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4))) + return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4))) def get_state_token_secret(): diff --git a/lemur/tests/conf.py b/lemur/tests/conf.py index f573362599..35af9d98e5 100644 --- a/lemur/tests/conf.py +++ b/lemur/tests/conf.py @@ -2,7 +2,7 @@ import base64 import os -import random +import secrets import string _basedir = os.path.abspath(os.path.dirname(__file__)) @@ -10,10 +10,10 @@ # generate random secrets for unittest def get_random_secret(length): - secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) - secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4))) - return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4))) + secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4))) + secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4))) + return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4))) THREADS_PER_PAGE = 8 @@ -26,6 +26,10 @@ def get_random_secret(length): TESTING = True +# All the secrets below must be generated using CRYPTOGRAPHICALLY SECURE RANDOMNESS and kept private +# (ideally they would not be stored directly in this config file). +# See Lemur's documentation for more information on secret management. + # this is the secret key used by flask session management (utf8 encoded) SECRET_KEY = get_random_secret(length=32).encode('utf8')