From 72be86794ed0d33f83d2ba32469a3d8263728ddb Mon Sep 17 00:00:00 2001 From: Tommy Murphy Date: Thu, 20 Apr 2017 17:31:33 -0400 Subject: [PATCH] [security] generate_secret_key should use a csprng Original implementation used a very large seed (2048 bytes) but then performed encoding using the insecure Mersenne Twister pseudo random number generator. `random.seed` would actually take a `hash` of the input resulting in a much smaller keyspace (~63bits) and then biases in the insecure random number generator could result in more predictable keys than intended. The new implementation uses the system's cryptographically secure pseudo random number generator (`os.urandom`) with `512` bits and then does a straight encoding of that using base64, resulting in ~312 bits entropy. --- netbox/generate_secret_key.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/netbox/generate_secret_key.py b/netbox/generate_secret_key.py index 0e0214dc4..6676426e0 100755 --- a/netbox/generate_secret_key.py +++ b/netbox/generate_secret_key.py @@ -1,8 +1,6 @@ #!/usr/bin/env python # This script will generate a random 50-character string suitable for use as a SECRET_KEY. import os -import random +import base64 -charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*(-_=+)' -random.seed = (os.urandom(2048)) -print(''.join(random.choice(charset) for c in range(50))) +print(base64.urlsafe_b64encode(os.urandom(64))[:50])