From 51a7f636b05ae393f04b99cfc1ef700a545d80d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Z=C3=B6ller?= Date: Sun, 7 Nov 2021 19:54:19 +0100 Subject: [PATCH] Use secrets module for generating new API keys and passwords The implementation of `random.choice()` uses the Mersenne Twister, the output of which is predictable by observing previous output, and is as such unsuitable for security-sensitive applications. A cryptographically secure pseudorandom number generator - which the `secrets` module relies on - should be used instead in those instances. --- powerdnsadmin/models/api_key.py | 4 ++-- powerdnsadmin/routes/api.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/powerdnsadmin/models/api_key.py b/powerdnsadmin/models/api_key.py index 89b9fc1..4c26cd2 100644 --- a/powerdnsadmin/models/api_key.py +++ b/powerdnsadmin/models/api_key.py @@ -1,4 +1,4 @@ -import random +import secrets import string import bcrypt from flask import current_app @@ -30,7 +30,7 @@ class ApiKey(db.Model): self.accounts[:] = accounts if not key: rand_key = ''.join( - random.choice(string.ascii_letters + string.digits) + secrets.choice(string.ascii_letters + string.digits) for _ in range(15)) self.plain_key = rand_key self.key = self.get_hashed_password(rand_key).decode('utf-8') diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py index 448144b..1fd5e3a 100644 --- a/powerdnsadmin/routes/api.py +++ b/powerdnsadmin/routes/api.py @@ -30,7 +30,7 @@ from ..decorators import ( apikey_is_admin, apikey_can_access_domain, api_role_can, apikey_or_basic_auth, ) -import random +import secrets import string api_bp = Blueprint('api', __name__, url_prefix='/api/v1') @@ -687,7 +687,7 @@ def api_create_user(): if not plain_text_password and not password: plain_text_password = ''.join( - random.choice(string.ascii_letters + string.digits) + secrets.choice(string.ascii_letters + string.digits) for _ in range(15)) if not role_name and not role_id: role_name = 'User'