rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Defend against configured known secret keys. 

This is a two-prong effort. First, we warn on launch if a known key is
used. Second, we document using invalid keys where possible.

Co-authored-by: Jonas Møller <jonas@moesys.no>
This commit is contained in:
Sergio Benitez 2023-03-23 11:37:23 -07:00
parent 01663ed47c
commit 0ed6d82d10
6 changed files with 32 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
core/lib/src/config/config.rs
View File

@ -364,6 +364,18 @@ impl Config {
#[cfg(not(feature = "mtls"))] { false } #[cfg(not(feature = "mtls"))] { false }
} }
#[cfg(feature = "secrets")]
pub(crate) fn known_secret_key_used(&self) -> bool {
const KNOWN_SECRET_KEYS: &'static [&'static str] = &[
"hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
];
KNOWN_SECRET_KEYS.iter().any(|&key_str| {
let value = figment::value::Value::from(key_str);
self.secret_key == value.deserialize().expect("known key is valid")
})
}
pub(crate) fn pretty_print(&self, figment: &Figment) { pub(crate) fn pretty_print(&self, figment: &Figment) {
use crate::log::PaintExt; use crate::log::PaintExt;

2
core/lib/src/config/mod.rs
View File

@ -666,7 +666,7 @@ mod tests {
fn test_no_err_on_release_and_custom_secret_key() { fn test_no_err_on_release_and_custom_secret_key() {
figment::Jail::expect_with(|jail| { figment::Jail::expect_with(|jail| {
jail.set_env("ROCKET_PROFILE", "release"); jail.set_env("ROCKET_PROFILE", "release");
let key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="; let key = "Bx4Gb+aSIfuoEyMHD4DvNs92+wmzfQK98qc6MiwyPY4=";
let figment = Config::figment().merge(("secret_key", key)); let figment = Config::figment().merge(("secret_key", key));
assert!(crate::local::blocking::Client::tracked(crate::custom(&figment)).is_ok()); assert!(crate::local::blocking::Client::tracked(crate::custom(&figment)).is_ok());

7
core/lib/src/config/secret_key.rs
View File

@ -22,8 +22,13 @@ enum Kind {
/// ```rust /// ```rust
/// use rocket::config::Config; /// use rocket::config::Config;
/// ///
/// // NOTE: Don't (!) use this key! Generate your own and keep it private!
/// // e.g. via `head -c64 /dev/urandom | base64`
/// let figment = Config::figment() /// let figment = Config::figment()
/// .merge(("secret_key", "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk=")); /// # .merge(("secret_key", "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="));
/// # /*
/// .merge(("secret_key", "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="));
/// # */
/// ///
/// let config = Config::from(figment); /// let config = Config::from(figment);
/// assert!(!config.secret_key.is_zero()); /// assert!(!config.secret_key.is_zero());

6
core/lib/src/rocket.rs
View File

@ -530,7 +530,11 @@ impl Rocket<Build> {
config.secret_key = crate::config::SecretKey::generate() config.secret_key = crate::config::SecretKey::generate()
.unwrap_or_else(crate::config::SecretKey::zero); .unwrap_or_else(crate::config::SecretKey::zero);
} }
}; } else if config.known_secret_key_used() {
warn!("The configured `secret_key` is exposed and insecure.");
warn_!("The configured key is publicly published and thus insecure.");
warn_!("Try generating a new key with `head -c64 /dev/urandom | base64`.");
}
// Initialize the router; check for collisions. // Initialize the router; check for collisions.
let mut router = Router::new(); let mut router = Router::new();

3
examples/config/Rocket.toml
View File

@ -26,7 +26,8 @@ port = 8000
workers = 12 workers = 12
keep_alive = 5 keep_alive = 5
log_level = "critical" log_level = "critical"
# don't use this key! generate your own and keep it private! # NOTE: Don't (!) use this key! Generate your own and keep it private!
# e.g. via `head -c64 /dev/urandom | base64`
secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk=" secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
key = "a release app-key" key = "a release app-key"
extra = false extra = false

10
site/guide/9-configuration.md
View File

@ -126,11 +126,12 @@ limits = { json = "10MiB" }
port = 9001 port = 9001
## set only when compiled in release mode, i.e, `cargo build --release` ## set only when compiled in release mode, i.e, `cargo build --release`
## don't use this secret_key! generate your own and keep it private!
[release] [release]
port = 9999 port = 9999
secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk="
ip_header = false ip_header = false
# NOTE: Don't (!) use this key! Generate your own and keep it private!
# e.g. via `head -c64 /dev/urandom | base64`
secret_key = "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="
``` ```
The following is a `Rocket.toml` file with all configuration options set for The following is a `Rocket.toml` file with all configuration options set for
@ -150,8 +151,9 @@ ip_header = "X-Real-IP" # set to `false` to disable
log_level = "normal" log_level = "normal"
temp_dir = "/tmp" temp_dir = "/tmp"
cli_colors = true cli_colors = true
## NOTE: Don't (!) use this key! Generate your own! # NOTE: Don't (!) use this key! Generate your own and keep it private!
secret_key = "hPRYyVRiMyxpw5sBB1XeCMN1kFsDCqKvBi2QJxBVHQk=" # e.g. via `head -c64 /dev/urandom | base64`
secret_key = "hPrYyЭRiMyµ5sBB1π+CMæ1køFsåqKvBiQJxBVHQk="
[default.limits] [default.limits]
form = "64 kB" form = "64 kB"