From b7140a0e4a7712fe75b4b1d6a47eeaa461c72e0a Mon Sep 17 00:00:00 2001 From: jeremystretch Date: Thu, 27 Apr 2023 10:35:39 -0400 Subject: [PATCH] Closes #12343: Enforce a minimum length for SECRET_KEY configuration parameter --- docs/configuration/required-parameters.md | 6 ++---- docs/release-notes/version-3.5.md | 2 ++ netbox/netbox/settings.py | 9 +++++++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/configuration/required-parameters.md b/docs/configuration/required-parameters.md index a71a1b410..c35f90f7b 100644 --- a/docs/configuration/required-parameters.md +++ b/docs/configuration/required-parameters.md @@ -144,8 +144,6 @@ REDIS = { ## SECRET_KEY -This is a secret, random string used to assist in the creation new cryptographic hashes for passwords and HTTP cookies. The key defined here should not be shared outside of the configuration file. `SECRET_KEY` can be changed at any time, however be aware that doing so will invalidate all existing sessions. +This is a secret, pseudorandom string used to assist in the creation new cryptographic hashes for passwords and HTTP cookies. The key defined here should not be shared outside the configuration file. `SECRET_KEY` can be changed at any time without impacting stored data, however be aware that doing so will invalidate all existing user sessions. NetBox deployments comprising multiple nodes must have the same secret key configured on all nodes. -Please note that this key is **not** used directly for hashing user passwords or for the encrypted storage of secret data in NetBox. - -`SECRET_KEY` should be at least 50 characters in length and contain a random mix of letters, digits, and symbols. The script located at `$INSTALL_ROOT/netbox/generate_secret_key.py` may be used to generate a suitable key. +`SECRET_KEY` **must** be at least 50 characters in length, and should contain a mix of letters, digits, and symbols. The script located at `$INSTALL_ROOT/netbox/generate_secret_key.py` may be used to generate a suitable key. Please note that this key is **not** used directly for hashing user passwords or for the encrypted storage of secret data in NetBox. diff --git a/docs/release-notes/version-3.5.md b/docs/release-notes/version-3.5.md index 122ecb18b..bc54202b5 100644 --- a/docs/release-notes/version-3.5.md +++ b/docs/release-notes/version-3.5.md @@ -5,6 +5,7 @@ ### Breaking Changes * The `account` field has been removed from the provider model. This information is now tracked using the new provider account model. Multiple accounts can be assigned per provider. +* A minimum length of 50 characters is now enforced for the `SECRET_KEY` configuration parameter. * The JobResult model has been moved from the `extras` app to `core` and renamed to Job. Accordingly, its REST API endpoint has been moved from `/api/extras/job-results/` to `/api/core/jobs/`. * The `obj_type` field on the Job model (previously JobResult) has been renamed to `object_type` for consistency with other models. * The `JOBRESULT_RETENTION` configuration parameter has been renamed to `JOB_RETENTION`. @@ -72,6 +73,7 @@ Two new webhook trigger events have been introduced: `job_start` and `job_end`. * [#12068](https://github.com/netbox-community/netbox/issues/12068) - Enable generic foreign key relationships from jobs to NetBox objects * [#12085](https://github.com/netbox-community/netbox/issues/12085) - Add a file source view for reports * [#12218](https://github.com/netbox-community/netbox/issues/12218) - Provide more relevant API endpoint descriptions in schema +* [#12343](https://github.com/netbox-community/netbox/issues/12343) - Enforce a minimum length for `SECRET_KEY` configuration parameter ### Bug Fixes (From Beta2) diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 8df61a7c9..83c9aed91 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -68,6 +68,15 @@ DATABASE = getattr(configuration, 'DATABASE') REDIS = getattr(configuration, 'REDIS') SECRET_KEY = getattr(configuration, 'SECRET_KEY') +# Enforce minimum length for SECRET_KEY +if type(SECRET_KEY) is not str: + raise ImproperlyConfigured(f"SECRET_KEY must be a string (found {type(SECRET_KEY).__name__})") +if len(SECRET_KEY) < 50: + raise ImproperlyConfigured( + f"SECRET_KEY must be at least 50 characters in length. To generate a suitable key, run the following command:\n" + f" python {BASE_DIR}/generate_secret_key.py" + ) + # Calculate a unique deployment ID from the secret key DEPLOYMENT_ID = hashlib.sha256(SECRET_KEY.encode('utf-8')).hexdigest()[:16]