[PR #1093] [CLOSED] [security] generate_secret_key should use a csprng #12163

New Issue

adam · 2025-12-29T22:19:58+01:00

adam commented

2025-12-29 22:19:58 +01:00

📋 Pull Request Information

Original PR: https://github.com/netbox-community/netbox/pull/1093
Author: @tam7t
Created: 4/20/2017
Status: ❌ Closed

Base: develop ← Head: security-csprng

📝 Commits (1)

72be867 [security] generate_secret_key should use a csprng

📊 Changes

1 file changed (+2 additions, -4 deletions)

View changed files

📝 netbox/generate_secret_key.py (+2 -4)

📄 Description

Fixes: #1092

Original implementation used a very large seed (2048 bytes) but then performed
encoding using the insecure Mersenne Twister pseudo random number generator.
random.seed would actually take a hash of the input resulting in a much
smaller keyspace (64bits) and then biases in the insecure random number
generator could result in more predictable keys than intended.

The new implementation uses the system's cryptographically secure pseudo
random number generator (os.urandom) with 512 bits and then does a
straight encoding of that using base64, resulting in ~312 bits entropy.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbox-community/netbox/pull/1093 **Author:** [@tam7t](https://github.com/tam7t) **Created:** 4/20/2017 **Status:** ❌ Closed **Base:** `develop` ← **Head:** `security-csprng` --- ### 📝 Commits (1) - [`72be867`](https://github.com/netbox-community/netbox/commit/72be86794ed0d33f83d2ba32469a3d8263728ddb) [security] generate_secret_key should use a csprng ### 📊 Changes **1 file changed** (+2 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `netbox/generate_secret_key.py` (+2 -4) </details> ### 📄 Description  ### Fixes: #1092  Original implementation used a very large seed (2048 bytes) but then performed encoding using the insecure Mersenne Twister pseudo random number generator. `random.seed` would actually take a `hash` of the input resulting in a much smaller keyspace (64bits) and then biases in the insecure random number generator could result in more predictable keys than intended. The new implementation uses the system's cryptographically secure pseudo random number generator (`os.urandom`) with `512` bits and then does a straight encoding of that using base64, resulting in ~312 bits entropy. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 22:19:58 +01:00

adam closed this issue

2025-12-29 22:19:59 +01:00

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#12163