Merge pull request from GHSA-5fqv-mpj8-h7gm

Security fix

CHANGELOG.rst

@@ -5,6 +5,14 @@ Unreleased
 ~~~~~~~~~~~~~~~~~~~~
 
 
+1.3.2 - `2023-02-24`
+~~~~~~~~~~~~~~~~~~~~
+This release contains a fix for a security vulnerability.
+
+1.3.1 - `2023-02-15`
+~~~~~~~~~~~~~~~~~~~~
+This release contains no changes.
+
 1.3.0 - `2023-02-13`
 ~~~~~~~~~~~~~~~~~~~~
 This release contains many dependency updates, and numerous added or improved features over the last year.

docker/src/lemur.conf.py

@@ -1,5 +1,5 @@
 import os.path
-import random
+import secrets
 import string
 from celery.schedules import crontab
 
@@ -18,10 +18,10 @@
 
 
 def get_random_secret(length):
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 # This is the secret key used by Flask session management

docs/administration.rst

@@ -143,11 +143,11 @@ Basic Configuration
 
     An example of how you might generate a random string:
 
-        >>> import random
-        >>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
+        >>> import secrets
+        >>> secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice(string.digits) for x in range(6))
 
 
 .. data:: LEMUR_ENCRYPTION_KEYS

lemur/common/utils.py

@@ -8,8 +8,8 @@
 """
 import base64
 import json
-import random
 import re
+import secrets
 import socket
 import ssl
 import string
@@ -58,19 +58,19 @@ def get_psuedo_random_string():
     """
     Create a random and strongish challenge.
     """
-    challenge = "".join(random.choice(string.ascii_uppercase) for x in range(6))  # noqa
-    challenge += "".join(random.choice("~!@#$%^&*()_+") for x in range(6))  # noqa
-    challenge += "".join(random.choice(string.ascii_lowercase) for x in range(6))
-    challenge += "".join(random.choice(string.digits) for x in range(6))  # noqa
+    challenge = "".join(secrets.choice(string.ascii_uppercase) for x in range(6))  # noqa
+    challenge += "".join(secrets.choice("~!@#$%^&*()_+") for x in range(6))  # noqa
+    challenge += "".join(secrets.choice(string.ascii_lowercase) for x in range(6))
+    challenge += "".join(secrets.choice(string.digits) for x in range(6))  # noqa
     return challenge
 
 
 def get_random_secret(length):
     """ Similar to get_pseudo_random_string, but accepts a length parameter. """
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 def get_state_token_secret():

lemur/tests/conf.py

@@ -2,18 +2,18 @@
 
 import base64
 import os
-import random
+import secrets
 import string
 
 _basedir = os.path.abspath(os.path.dirname(__file__))
 
 
 # generate random secrets for unittest
 def get_random_secret(length):
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 THREADS_PER_PAGE = 8
@@ -26,6 +26,10 @@ def get_random_secret(length):
 
 TESTING = True
 
+# All the secrets below must be generated using CRYPTOGRAPHICALLY SECURE RANDOMNESS and kept private
+# (ideally they would not be stored directly in this config file).
+# See Lemur's documentation for more information on secret management.
+
 # this is the secret key used by flask session management (utf8 encoded)
 SECRET_KEY = get_random_secret(length=32).encode('utf8')