Defend against configured known secret keys.

This is a two-prong effort. First, we warn on launch if a known key is used. Second, we document using invalid keys where possible. Co-authored-by: Jonas Møller <jonas@moesys.no>
2023-03-23 11:37:23 -07:00 · 2023-03-23 11:37:23 -07:00 · 0ed6d82d10
parent 01663ed47c
commit 0ed6d82d10
6 changed files with 32 additions and 8 deletions
--- a/core/lib/src/config/config.rs
+++ b/core/lib/src/config/config.rs
@ -364,6 +364,18 @@ impl Config {
        #[cfg(not(feature = "mtls"))] { false }
    }

+    #[cfg(feature = "secrets")]
+    pub(crate) fn known_secret_key_used(&self) -> bool {
+        const KNOWN_SECRET_KEYS: &'static [&'static str] = &[
+            "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
+        ];
+
+        KNOWN_SECRET_KEYS.iter().any(|&key_str| {
+            let value = figment::value::Value::from(key_str);
+            self.secret_key == value.deserialize().expect("known key is valid")
+        })
+    }
+
    pub(crate) fn pretty_print(&self, figment: &Figment) {
        use crate::log::PaintExt;

--- a/core/lib/src/config/mod.rs
+++ b/core/lib/src/config/mod.rs
@ -666,7 +666,7 @@ mod tests {
    fn test_no_err_on_release_and_custom_secret_key() {
        figment::Jail::expect_with(|jail| {
            jail.set_env("ROCKET_PROFILE", "release");
-            let key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk=";
+            let key = "Bx4Gb+aSIfuoEyMHD4DvNs92+wmzfQK98qc6MiwyPY4=";
            let figment = Config::figment().merge(("secret_key", key));

            assert!(crate::local::blocking::Client::tracked(crate::custom(&figment)).is_ok());
--- a/core/lib/src/config/secret_key.rs
+++ b/core/lib/src/config/secret_key.rs
@ -22,8 +22,13 @@ enum Kind {
 /// ```rust
 /// use rocket::config::Config;
 ///
+/// // NOTE: Don't (!) use this key! Generate your own and keep it private!
+/// //       e.g. via `head -c64 /dev/urandom | base64`
 /// let figment = Config::figment()
-///     .merge(("secret_key", "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="));
+///     # .merge(("secret_key", "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="));
+///     # /*
+///     .merge(("secret_key", "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="));
+///     # */
 ///
 /// let config = Config::from(figment);
 /// assert!(!config.secret_key.is_zero());
--- a/core/lib/src/rocket.rs
+++ b/core/lib/src/rocket.rs
@ -530,7 +530,11 @@ impl Rocket<Build> {
                config.secret_key = crate::config::SecretKey::generate()
                    .unwrap_or_else(crate::config::SecretKey::zero);
            }
-        };
+        } else if config.known_secret_key_used() {
+            warn!("The configured `secret_key` is exposed and insecure.");
+            warn_!("The configured key is publicly published and thus insecure.");
+            warn_!("Try generating a new key with `head -c64 /dev/urandom | base64`.");
+        }

        // Initialize the router; check for collisions.
        let mut router = Router::new();
--- a/examples/config/Rocket.toml
+++ b/examples/config/Rocket.toml
@ -26,7 +26,8 @@ port = 8000
 workers = 12
 keep_alive = 5
 log_level = "critical"
-# don't use this key! generate your own and keep it private!
+# NOTE: Don't (!) use this key! Generate your own and keep it private!
+#       e.g. via `head -c64 /dev/urandom | base64`
 secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
 key = "a release app-key"
 extra = false
--- a/site/guide/9-configuration.md
+++ b/site/guide/9-configuration.md
@ -126,11 +126,12 @@ limits = { json = "10MiB" }
 port = 9001

 ## set only when compiled in release mode, i.e, `cargo build --release`
-## don't use this secret_key! generate your own and keep it private!
 [release]
 port = 9999
-secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
 ip_header = false
+# NOTE: Don't (!) use this key! Generate your own and keep it private!
+#       e.g. via `head -c64 /dev/urandom | base64`
+secret_key = "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="
 ```

 The following is a `Rocket.toml` file with all configuration options set for
@ -150,8 +151,9 @@ ip_header = "X-Real-IP" # set to `false` to disable
 log_level = "normal"
 temp_dir = "/tmp"
 cli_colors = true
-## NOTE: Don't (!) use this key! Generate your own!
-secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
+# NOTE: Don't (!) use this key! Generate your own and keep it private!
+#       e.g. via `head -c64 /dev/urandom | base64`
+secret_key = "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="

 [default.limits]
 form = "64 kB"