Re: [Django] #35900: staticfiles: Make staticfiles.json location unguessable for security (by obscurity!) (was: staticfiles: Make staticfiles.json location unguessable for security (by obscurity!).)

[Django]

#35900: staticfiles: Make staticfiles.json location unguessable for security (by
obscurity!)
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: new
Component: contrib.staticfiles | Version: dev
Severity: Normal | Resolution:
Keywords: staticfiles | Triage Stage:
security hardening | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sebastian Pipping):

* summary:
staticfiles: Make staticfiles.json location unguessable for security
(by obscurity!).
=>
staticfiles: Make staticfiles.json location unguessable for security
(by obscurity!)


Old description:

> Hi!
>
> An attacker searching for a way to attack a specific Django setup can
> check URL `/static/staticfiles.json` and use its content to first derive
> used dependencies (potentially down to a specific version) to then derive
> attack vectors based on that information.
>
> A fix would be to not use guessable name `staticfiles.json` by default
> but to include some entropy in that filename a la
> `staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on
> `settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content
> remains stable across all Python processes. The "by default" is key
> here, because most users of Django do not seem to consider the security
> implications of serving file `staticfiles.json` to attackers, I keep
> finding these files in the wild. Yes, security by obscurity is never
> enough in isolation, but it does make attacking harder in practice.
>
> Pull request 18778 (https://github.com/django/django/pull/18778) demos
> one way how the situation could be improved in a backwards-compatible way
> by default and for everyone.

New description:

Hi!

An attacker searching for a way to attack a specific Django setup can
check URL `/static/staticfiles.json` and use its content to first derive
used dependencies (potentially down to a specific version) to then derive
attack vectors based on that information.

A fix would be to not use guessable name `staticfiles.json` by default but
to include some entropy in that filename a la
`staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. derived from
`settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content
remains stable across all Python processes. The "by default" is key here,
because most users of Django do not seem to consider the security
implications of serving file `staticfiles.json` to attackers, I keep
finding these files in the wild. Yes, security by obscurity is never
enough in isolation, but it does make attacking harder in practice. All
but one operators have decided to unpublish that file when I contacted
them about this issue with their setup so far.

Pull request 18778 (https://github.com/django/django/pull/18778) demos one
way how the situation could be improved in a backwards-compatible way by
default and for everyone.

--
--
Ticket URL: <https://code.djangoproject.com/ticket/35900#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.