Opened 4 days ago
Closed 3 days ago
#35900 closed New feature (wontfix)
staticfiles: Make staticfiles.json location unguessable for security (by obscurity!)
| Reported by: | Sebastian Pipping | Owned by: | |
|---|---|---|---|
| Component: | contrib.staticfiles | Version: | dev |
| Severity: | Normal | Keywords: | staticfiles security hardening |
| Cc: | Sebastian Pipping | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Hi!
An attacker searching for a way to attack a specific Django setup can check URL /static/staticfiles.json and use its content to first derive used dependencies (potentially down to a specific version) to then derive attack vectors based on that information.
A fix would be to not use guessable name staticfiles.json by default but to include some entropy in that filename a la staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json e.g. derived from settings.SECRET_KEY so that ManifestFilesMixin.manifest_name content remains stable across all Python processes. The "by default" is key here, because most users of Django do not seem to consider the security implications of serving file staticfiles.json to attackers, I keep finding these files in the wild. Yes, security by obscurity is never enough in isolation, but it does make attacking harder in practice. All but one operators have decided to unpublish that file when I contacted them about this issue with their setup so far.
Pull request 18778 (https://github.com/django/django/pull/18778) demos one way how the situation could be improved in a backwards-compatible way by default and for everyone.
Change History (2)
comment:1 by , 4 days ago
| Description: | modified (diff) |
|---|---|
| Summary: | staticfiles: Make staticfiles.json location unguessable for security (by obscurity!). → staticfiles: Make staticfiles.json location unguessable for security (by obscurity!) |
comment:2 by , 3 days ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
| Type: | Uncategorized → New feature |
Hello Sebastian, thank you for taking the time to create this report.
Given this report requests a new feature for Django, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the Django Forum, where you'll reach a broader audience and receive additional feedback. This consensus would require agreement on the implementation details for this change since, besides the comments from Florian in the PR, I thinks this would require some form of a deprecation path where the current
staticfiles.jsonis still available, or perhaps a way to declare themanifest_namein theSTORAGESdefinition to allow for the current behavior...I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to the documented guidelines for requesting features.