From 7c138d84e8156451383924c7a0d7b1055d92fc3a Mon Sep 17 00:00:00 2001
From: Jasmine Schladen <jschladen@netflix.com>
Date: Tue, 21 Feb 2023 14:57:54 -0800
Subject: [PATCH] Fix

---
 CHANGELOG.rst            |  8 ++++++++
 docker/src/lemur.conf.py | 10 +++++-----
 docs/administration.rst  | 10 +++++-----
 lemur/common/utils.py    | 18 +++++++++---------
 lemur/tests/conf.py      | 14 +++++++++-----
 5 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 829931a5fd..6aa6593348 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,14 @@ Unreleased
 ~~~~~~~~~~~~~~~~~~~~
 
 
+1.3.2 - `2023-02-24`
+~~~~~~~~~~~~~~~~~~~~
+This release contains a fix for a security vulnerability.
+
+1.3.1 - `2023-02-15`
+~~~~~~~~~~~~~~~~~~~~
+This release contains no changes.
+
 1.3.0 - `2023-02-13`
 ~~~~~~~~~~~~~~~~~~~~
 This release contains many dependency updates, and numerous added or improved features over the last year.
diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py
index da2e8491ea..02974437c2 100644
--- a/docker/src/lemur.conf.py
+++ b/docker/src/lemur.conf.py
@@ -1,5 +1,5 @@
 import os.path
-import random
+import secrets
 import string
 from celery.schedules import crontab
 
@@ -18,10 +18,10 @@
 
 
 def get_random_secret(length):
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 # This is the secret key used by Flask session management
diff --git a/docs/administration.rst b/docs/administration.rst
index 7c1917df1a..05f649c535 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -143,11 +143,11 @@ Basic Configuration
 
     An example of how you might generate a random string:
 
-        >>> import random
-        >>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
+        >>> import secrets
+        >>> secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(secrets.choice(string.digits) for x in range(6))
 
 
 .. data:: LEMUR_ENCRYPTION_KEYS
diff --git a/lemur/common/utils.py b/lemur/common/utils.py
index 2f6baade7b..9f684feb0b 100644
--- a/lemur/common/utils.py
+++ b/lemur/common/utils.py
@@ -8,8 +8,8 @@
 """
 import base64
 import json
-import random
 import re
+import secrets
 import socket
 import ssl
 import string
@@ -58,19 +58,19 @@ def get_psuedo_random_string():
     """
     Create a random and strongish challenge.
     """
-    challenge = "".join(random.choice(string.ascii_uppercase) for x in range(6))  # noqa
-    challenge += "".join(random.choice("~!@#$%^&*()_+") for x in range(6))  # noqa
-    challenge += "".join(random.choice(string.ascii_lowercase) for x in range(6))
-    challenge += "".join(random.choice(string.digits) for x in range(6))  # noqa
+    challenge = "".join(secrets.choice(string.ascii_uppercase) for x in range(6))  # noqa
+    challenge += "".join(secrets.choice("~!@#$%^&*()_+") for x in range(6))  # noqa
+    challenge += "".join(secrets.choice(string.ascii_lowercase) for x in range(6))
+    challenge += "".join(secrets.choice(string.digits) for x in range(6))  # noqa
     return challenge
 
 
 def get_random_secret(length):
     """ Similar to get_pseudo_random_string, but accepts a length parameter. """
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 def get_state_token_secret():
diff --git a/lemur/tests/conf.py b/lemur/tests/conf.py
index f573362599..35af9d98e5 100644
--- a/lemur/tests/conf.py
+++ b/lemur/tests/conf.py
@@ -2,7 +2,7 @@
 
 import base64
 import os
-import random
+import secrets
 import string
 
 _basedir = os.path.abspath(os.path.dirname(__file__))
@@ -10,10 +10,10 @@
 
 # generate random secrets for unittest
 def get_random_secret(length):
-    secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
-    secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(round(length / 4)))
-    return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
+    secret_key = ''.join(secrets.choice(string.ascii_uppercase) for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice("~!@#$%^&*()_+") for x in range(round(length / 4)))
+    secret_key = secret_key + ''.join(secrets.choice(string.ascii_lowercase) for x in range(round(length / 4)))
+    return secret_key + ''.join(secrets.choice(string.digits) for x in range(round(length / 4)))
 
 
 THREADS_PER_PAGE = 8
@@ -26,6 +26,10 @@ def get_random_secret(length):
 
 TESTING = True
 
+# All the secrets below must be generated using CRYPTOGRAPHICALLY SECURE RANDOMNESS and kept private
+# (ideally they would not be stored directly in this config file).
+# See Lemur's documentation for more information on secret management.
+
 # this is the secret key used by flask session management (utf8 encoded)
 SECRET_KEY = get_random_secret(length=32).encode('utf8')