[security] generate_secret_key should use a csprng

Original implementation used a very large seed (2048 bytes) but then performed encoding using the insecure Mersenne Twister pseudo random number generator. `random.seed` would actually take a `hash` of the input resulting in a much smaller keyspace (~63bits) and then biases in the insecure random number generator could result in more predictable keys than intended. The new implementation uses the system's cryptographically secure pseudo random number generator (`os.urandom`) with `512` bits and then does a straight encoding of that using base64, resulting in ~312 bits entropy.
2025-07-30 20:36:26 -06:00 · 2017-04-20 17:31:33 -04:00 · 2017-04-20 17:31:33 -04:00 · 72be86794e
commit 72be86794e
parent 401357b8cb
1 changed files with 2 additions and 4 deletions
--- a/netbox/generate_secret_key.py
+++ b/netbox/generate_secret_key.py
@ -1,8 +1,6 @@
 #!/usr/bin/env python
 # This script will generate a random 50-character string suitable for use as a SECRET_KEY.
 import os
-import random
+import base64

-charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*(-_=+)'
-random.seed = (os.urandom(2048))
-print(''.join(random.choice(charset) for c in range(50)))
+print(base64.urlsafe_b64encode(os.urandom(64))[:50])