[PATCH] Use secrets and fall back to random.SystemRandom for keys

Jeremy Cline jcline at redhat.com
Thu Oct 10 06:03:45 AEDT 2019 

The random module uses the Mersenne Twister pseudorandom number
generator and is not a cryptographically secure random number
generator[0]. The secrets[1] module is intended for generating
cryptographically strong random numbers, so recommend using that to
generate the secret key. It's new in Python 3, so if it's unavailable
fall back to using the ``os.urandom()`` backed implementation of random.

[0] https://docs.python.org/3/library/random.html
[1] https://docs.python.org/3/library/secrets.html

Signed-off-by: Jeremy Cline <jcline at redhat.com>
---
 docs/deployment/installation.rst                     | 10 ++++++++--
 patchwork/settings/production.example.py             | 12 +++++++++---
 ...andom.SystemRandom-for-keys-9ceb496919a1bb6f.yaml |  5 +++++
 3 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml

diff --git a/docs/deployment/installation.rst b/docs/deployment/installation.rst
index d422573..f477a11 100644
--- a/docs/deployment/installation.rst
+++ b/docs/deployment/installation.rst
@@ -254,9 +254,15 @@ This should be a random value and kept secret. You can generate and a value for
 
 .. code-block:: python
 
-   import string, random
+   import string
+   try:
+       import secrets
+   except ImportError:  # Python < 3.6
+       import random
+       secrets = random.SystemRandom()
+
    chars = string.ascii_letters + string.digits + string.punctuation
-   print(repr("".join([random.choice(chars) for i in range(0,50)])))
+   print("".join([secrets.choice(chars) for i in range(50)]))
 
 Once again, store this in ``production.py``.
 
diff --git a/patchwork/settings/production.example.py b/patchwork/settings/production.example.py
index c6aa2f2..8058537 100644
--- a/patchwork/settings/production.example.py
+++ b/patchwork/settings/production.example.py
@@ -21,9 +21,15 @@ from .base import *  # noqa
 # You'll need to replace this to a random string. The following python code can
 # be used to generate a secret key:
 #
-#      import string, random
-#      chars = string.letters + string.digits + string.punctuation
-#      print repr("".join([random.choice(chars) for i in range(0,50)]))
+#      import string
+#      try:
+#          import secrets
+#      except ImportError:  # Python < 3.6
+#          import random
+#          secrets = random.SystemRandom()
+#
+#      chars = string.ascii_letters + string.digits + string.punctuation
+#      print("".join([secrets.choice(chars) for i in range(50)]))
 
 SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
 
diff --git a/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml b/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml
new file mode 100644
index 0000000..7b101cb
--- /dev/null
+++ b/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Change the recommended method for generating the Django secret key to use a
+    cryptographically secure random number generator.
-- 
2.21.0

More information about the Patchwork mailing list