starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Insecure SECRET_KEY generated by generate_secret_key.py #4489

New Issue
Closed
opened 2025-12-29 18:36:34 +01:00 by adam · 1 comment
adam commented 2025-12-29 18:36:34 +01:00
Owner
Copy Link

Originally created by @Alef-Burzmali on GitHub (Jan 24, 2021).

Environment

  • Python version: 3.6+
  • NetBox version: 2.10.3

Steps to Reproduce

  1. Use generate_secret_key.py to generate a random key
  2. Observe the randomness of the result

Expected Behavior

The generated key is a string of 50 characters chosen randomly among the 76 characters (76^50 = 10^94 combinations).

Observed Behavior

The generated key is a 50-char-long permutation of the 76 characters of the charset (76 choose 50 = 10^20 possibilities). You can see that no characters are used more than once, e.g.: gN-DOwkFbQ1Bur89Tlza0v!=#y63U)os2%C_HZdP74IM+cmA5L

The script should use random.choices instead of random.sample. Furthermore, as Netbox already depends on Python3.6, it would be even better to use secrets.choice instead and avoid SystemRandom.

I understand that this script is only used once (as mentioned in #1092). However, the secrets it generates are currently well within bruteforce territory and are insecure. I suppose it could be abused to steal a session or a user account (based on Django's doc) and I would recommend changing it in current deployments (if it is feasible), if the key was generated with this script during the installation.

Originally created by @Alef-Burzmali on GitHub (Jan 24, 2021). <!-- NOTE: IF YOUR ISSUE DOES NOT FOLLOW THIS TEMPLATE, IT WILL BE CLOSED. This form is only for reporting reproducible bugs. If you need assistance with NetBox installation, or if you have a general question, please start a discussion instead: https://github.com/netbox-community/netbox/discussions Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report, and that any plugins have been disabled. --> ### Environment * Python version: 3.6+ * NetBox version: 2.10.3 <!-- Describe in detail the exact steps that someone else can take to reproduce this bug using the current stable release of NetBox. Begin with the creation of any necessary database objects and call out every operation being performed explicitly. If reporting a bug in the REST API, be sure to reconstruct the raw HTTP request(s) being made: Don't rely on a client library such as pynetbox. --> ### Steps to Reproduce 1. Use generate_secret_key.py to generate a random key 2. Observe the randomness of the result <!-- What did you expect to happen? --> ### Expected Behavior The generated key is a string of 50 characters chosen randomly among the 76 characters (76^50 = 10^94 combinations). <!-- What happened instead? --> ### Observed Behavior The generated key is a 50-char-long permutation of the 76 characters of the charset (76 choose 50 = 10^20 possibilities). You can see that no characters are used more than once, e.g.: `gN-DOwkFbQ1Bur89Tlza0v!=#y63U)os2%C_HZdP74IM+cmA5L` The script should use [random.choices](https://docs.python.org/3/library/random.html#random.choices) instead of [random.sample](https://docs.python.org/3/library/random.html#random.sample). Furthermore, as Netbox already depends on Python3.6, it would be even better to use [secrets.choice](https://docs.python.org/3/library/secrets.html#secrets.choice) instead and avoid SystemRandom. I understand that this script is only used once (as mentioned in #1092). However, the secrets it generates are currently well within bruteforce territory and are insecure. I suppose it could be abused to steal a session or a user account (based on Django's doc) and I would recommend changing it in current deployments (if it is feasible), if the key was generated with this script during the installation.
adam added the type: bugstatus: accepted labels 2025-12-29 18:36:34 +01:00
adam closed this issue 2025-12-29 18:36:34 +01:00
adam commented 2025-12-29 18:36:34 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Jan 25, 2021):

Do you have more information on this supposed weakness?

I will admit my python cryptography is weak but I don't see any issue with using sample over choices according to their documentation.

@DanSheps commented on GitHub (Jan 25, 2021): Do you have more information on this supposed weakness? I will admit my python cryptography is weak but I don't see any issue with using sample over choices according to their documentation.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#4489
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?