Skip to content
This repository has been archived by the owner on Feb 21, 2022. It is now read-only.

[SW-295] Remove default static secret key from the base settings #289

Closed
kiwicomplatform opened this issue Feb 17, 2020 · 1 comment
Closed

[SW-295] Remove default static secret key from the base settings #289

kiwicomplatform opened this issue Feb 17, 2020 · 1 comment

Comments

@kiwicomplatform
Copy link

The-zoo is vulnerable to a cryptography issue since the Django's SECRET_KEY in settings.py variable will fallback to mucho secretto if no SECRET_KEY environment variable is provided when deploying the webserver.

Steps To Reproduce:

  • Deploy the-zoo without providing a SECRET_KEY environment variable
  • Django's SECRET_KEY will default to mucho secretto as per line 79 in settings.py

Vulnerable line: SECRET_KEY = env("SECRET_KEY", default="mucho secretto")

Impact:

Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.

Remediation:

Preventing the start or generating a random key for every run might be a better practice
@aexvir
Copy link
Contributor

aexvir commented Feb 17, 2020

🤔 Duplicate of #264

@aexvir aexvir closed this as completed Feb 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aexvir @kiwicomplatform