Opened 5 days ago
Last modified 4 days ago
#35900 closed New feature
staticfiles: Make staticfiles.json location unguessable for security (by obscurity!). — at Initial Version
| Reported by: | Sebastian Pipping | Owned by: | |
|---|---|---|---|
| Component: | contrib.staticfiles | Version: | dev |
| Severity: | Normal | Keywords: | staticfiles security hardening |
| Cc: | Sebastian Pipping | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi!
An attacker searching for a way to attack a specific Django setup can check URL /static/staticfiles.json and use its content to first derive used dependencies (potentially down to a specific version) to then derive attack vectors based on that information.
A fix would be to not use guessable name staticfiles.json by default but to include some entropy in that filename a la staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json e.g. based on settings.SECRET_KEY so that ManifestFilesMixin.manifest_name content remains stable across all Python processes. The "by default" is key here, because most users of Django do not seem to consider the security implications of serving file staticfiles.json to attackers, I keep finding these files in the wild. Yes, security by obscurity is never enough in isolation, but it does make attacking harder in practice.
Pull request 18778 (https://github.com/django/django/pull/18778) demos one way how the situation could be improved in a backwards-compatible way by default and for everyone.