69 lines
1.7 KiB
Plaintext
69 lines
1.7 KiB
Plaintext
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
=== What is the potential impact?
|
|
|
|
If a Flask secret key leaks to an unintended audience, it can have serious
|
|
security implications for the corresponding application. The secret key is used
|
|
to sign cookies and other sensitive data so that an attacker could potentially
|
|
use it to perform malicious actions.
|
|
|
|
For example, an attacker could use the secret key to create their own cookies
|
|
that appear to be legitimate, allowing them to bypass authentication and gain
|
|
access to sensitive data or functionality.
|
|
|
|
In the worst-case scenario, an attacker could be able to execute arbitrary code
|
|
on the application and take over its hosting server.
|
|
|
|
== How to fix it
|
|
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
|
|
|
In Flask, changing the secret value is sufficient to invalidate any data that
|
|
it protected.
|
|
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant,subs="attributes"]
|
|
----
|
|
from flask import Flask
|
|
|
|
app = Flask(__name__)
|
|
app.config['SECRET_KEY'] = "secret" # Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=1,diff-type=compliant,subs="attributes"]
|
|
----
|
|
from flask import Flask
|
|
import os
|
|
|
|
app = Flask(__name__)
|
|
app.config['SECRET_KEY'] = os.environ["SECRET_KEY"]
|
|
----
|
|
|
|
|
|
//=== How does this work?
|
|
|
|
//=== Pitfalls
|
|
|
|
//=== Going the extra mile
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
=== Documentation
|
|
|
|
* Flask documentation - https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY[Config - SECRET_KEY]
|
|
|
|
//=== Benchmarks
|