<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">

<qhelp>

<overview>

<p>

Flask and Django require a Securely signed key for singing the session cookies. most of the time developers rely on load hardcoded secret keys from a config file or python code. this proves that the way of hardcoded secret can make problems when you forgot to change the constant secret keys.

</p>

</overview>

<recommendation>

<p>

In Flask Consider using a secure random generator with <a href="https://docs.python.org/3/library/secrets.html#secrets.token_hex">Python standard secrets library</a>

</p>

<p>

In Django Consider using a secure random generator with "get_random_secret_key()"" method from "django.core.management.utils".

</p>

</recommendation>

<example>

<p>Safe Django SECRET_KEY</p>

<sample src="examples/example_Django_safe.py" />

<p>Unsafe Django SECRET_KEY Example:</p>

<sample src="examples/example_Django_unsafe.py" />

<p>Safe Flask SECRET_KEY Example:</p>

<sample src="examples/example_Flask_safe.py" />

<sample src="examples/example_Flask_unsafe.py" />

<p>Unsafe Flask SECRET_KEY Example:</p>

<sample src="examples/example_Flask_unsafe2.py" />

<p>config1.py</p>

<sample src="examples/config1.py" />

<p>config2.py</p>

<sample src="examples/config2.py" />

<p>config3.py</p>

<sample src="examples/config3.py" />

<p>__init__.py</p>

<sample src="examples/settings/__init__.py" />

</example>

<references>

<li>

<a href="https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY">Flask Documentation</a>

</li>

<li>

<a href="https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key">Django Documentation</a>

</li>

<li>

<a href="https://flask-jwt-extended.readthedocs.io/en/stable/basic_usage.html#basic-usage">Flask-JWT-Extended Documentation</a>

</li>

<li>

<a href="https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/">CVE-2023-27524 - Apache Superset had multiple CVEs related to this kind of Vulnerability</a>

</li>

<li>

<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-17526">CVE-2020-17526 - Apache Airflow had multiple CVEs related to this kind of Vulnerability</a>

</li>

<li>

<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41192">CVE-2021-41192 - Redash was assigning a environment variable with a default value which it was assigning the default secrect if the environment variable does not exists</a>

</li>

</references>

</qhelp>

import python

import experimental.semmle.python.Concepts

import semmle.python.dataflow.new.DataFlow

import semmle.python.ApiGraphs

import semmle.python.dataflow.new.TaintTracking

import WebAppConstantSecretKeyDjango

import WebAppConstantSecretKeyFlask

import semmle.python.filters.Tests

newtype TFrameWork =

Flask() or

Django()

module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {

class FlowState = TFrameWork;

predicate isSource(DataFlow::Node source, FlowState state) {

state = Flask() and FlaskConstantSecretKeyConfig::isSource(source)

or

state = Django() and DjangoConstantSecretKeyConfig::isSource(source)

}

predicate isBarrier(DataFlow::Node node) {

node.getLocation().getFile().inStdlib()

or

// To reduce FP rate, the following was added

node.getLocation()

.getFile()

.getRelativePath()

.matches(["%test%", "%demo%", "%example%", "%sample%"]) and

// but that also meant all data-flow nodes in query tests were excluded... so we had

// to add this:

not node.getLocation().getFile().getRelativePath().matches("%query-tests/Security/CWE-287%")

}

predicate isSink(DataFlow::Node sink, FlowState state) {

state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)

or

state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)

}

module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;

import WebAppConstantSecretKey::PathGraph

from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink

where WebAppConstantSecretKey::flowPath(source, sink)

select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,

" this constant String"

import python

import experimental.semmle.python.Concepts

import semmle.python.dataflow.new.DataFlow

import semmle.python.ApiGraphs

import semmle.python.dataflow.new.TaintTracking

import WebAppConstantSecretKeySource

module DjangoConstantSecretKeyConfig {

/**

predicate isSource(DataFlow::Node source) { source instanceof WebAppConstantSecretKeySource }

/**

predicate isSink(DataFlow::Node sink) {

exists(API::moduleImport("django")) and

(

exists(AssignStmt e | e.getTarget(0).(Name).getId() = ["SECRET_KEY", "SECRET_KEY_FALLBACKS"] |

sink.asExpr() = e.getValue()

)

or

exists(API::Node settings |

settings =

API::moduleImport("django").getMember("conf").getMember(["global_settings", "settings"]) and

sink =

settings

.getMember("configure")

.getKeywordParameter(["SECRET_KEY_FALLBACKS", "SECRET_KEY"])

.asSink()

)

or

exists(DataFlow::AttrWrite attr |

attr.getAttributeName() = ["SECRET_KEY_FALLBACKS", "SECRET_KEY"] and

sink = attr.getValue()

)

) and

exists(sink.getScope().getLocation().getFile().getRelativePath()) and

not sink.getScope().getLocation().getFile().inStdlib()

}

import python

import experimental.semmle.python.Concepts

import semmle.python.dataflow.new.DataFlow

import semmle.python.ApiGraphs

import semmle.python.dataflow.new.TaintTracking

import WebAppConstantSecretKeySource

module FlaskConstantSecretKeyConfig {

/**

API::Node flaskInstance() {

result = API::moduleImport("flask").getMember("Flask").getASubclass*()

}

/**

predicate isSource(DataFlow::Node source) { source instanceof WebAppConstantSecretKeySource }

/**

predicate isSink(DataFlow::Node sink) {

(

exists(API::Node n | n = flaskInstance().getReturn() |

sink =

[

n.getMember("config").getSubscript(["SECRET_KEY", "JWT_SECRET_KEY"]).asSink(),

n.getMember("config")

.getMember(["update", "from_mapping"])

.getACall()

.getArgByName(["SECRET_KEY", "JWT_SECRET_KEY"])

]

)

or

exists(DataFlow::AttrWrite attr |

attr.getObject().getALocalSource() = flaskInstance().getACall() and

attr.getAttributeName() = ["secret_key", "jwt_secret_key"] and

sink = attr.getValue()

)

or

exists(SecretKeyAssignStmt e | sink.asExpr() = e.getValue())

) and

exists(sink.getScope().getLocation().getFile().getRelativePath()) and

not sink.getScope().getLocation().getFile().inStdlib()

}

/**

class SecretKeyAssignStmt extends AssignStmt {

SecretKeyAssignStmt() {

exists(string configFileName, string fileNamehelper, DataFlow::Node n1, File file |

fileNamehelper = [flaskConfiFileName(n1), flaskConfiFileName2(n1)] and

// because of `from_object` we want first part of `Config.AClassName` which `Config` is a python file name

configFileName = fileNamehelper.splitAt(".") and

file = this.getLocation().getFile()

|

(

if fileNamehelper = "__name__"

then

file.getShortName() = flaskInstance().asSource().getLocation().getFile().getShortName()

else (

fileNamehelper.matches("%.py") and

file.getShortName().matches("%" + configFileName + "%") and

// after spliting, don't look at %py% pattern

configFileName != ".py"

or

// in case of referencing to a directory which then we must look for __init__.py file

not fileNamehelper.matches("%.py") and

file.getRelativePath()

.matches("%" + fileNamehelper.replaceAll(".", "/") + "/__init__.py")

)

) and

this.getTarget(0).(Name).getId() = ["SECRET_KEY", "JWT_SECRET_KEY"]

) and

exists(this.getScope().getLocation().getFile().getRelativePath()) and

not this.getScope().getLocation().getFile().inStdlib()

}

}

/**

string flaskConfiFileName(API::CallNode cn) {

cn =

flaskInstance()

.getReturn()

.getMember("config")

.getMember(["from_object", "from_pyfile"])

.getACall() and

result =

[

cn.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText(),

cn.getParameter(0).asSink().asExpr().(Name).getId()

]

}

string flaskConfiFileName2(API::CallNode cn) {

cn =

API::moduleImport("flask")

.getMember("Flask")

.getASubclass*()

.getASuccessor*()

.getMember("from_object")

.getACall() and

result = cn.getParameter(0).asSink().asExpr().(StrConst).getText()

}

import python

import semmle.python.dataflow.new.DataFlow

import semmle.python.ApiGraphs

class WebAppConstantSecretKeySource extends DataFlow::Node {

WebAppConstantSecretKeySource() {

(

// we should check whether there is a default value or not

exists(API::Node env |

env = API::moduleImport("environ").getMember("Env") and

// has default value

exists(API::Node param | param = env.getKeywordParameter("SECRET_KEY") |

param.asSink().asExpr().getASubExpression*() instanceof StrConst

) and

this = env.getReturn().getReturn().asSource()

)

or

this.asExpr() instanceof StrConst

or

exists(API::CallNode cn |

cn =

[

API::moduleImport("os").getMember("getenv").getACall(),

API::moduleImport("os").getMember("environ").getMember("get").getACall()

] and

cn.getNumArgument() = 2 and

DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StrConst), cn.getArg(1)) and

this.asExpr() = cn.asExpr()

)

) and

// followings will sanitize the get_random_secret_key of django.core.management.utils and similar random generators which we have their source code and some of them can be tracking by taint tracking because they are initilized by a constant!

exists(this.getScope().getLocation().getFile().getRelativePath()) and

not this.getScope().getLocation().getFile().inStdlib() and

// special sanitize case for get_random_secret_key and django-environ

not this.getScope().getLocation().getFile().getBaseName() = ["environ.py", "crypto.py"]

}