Do not use uuid.uuid4() for generating security-critical secrets
45 views
Skip to first unread message
laundmo
Oct 21, 2025, 11:55:42 AMOct 21
to py4web
In various places, py4web uses uuid.uuid4() for generating secrets.
uuids are not meant to be used for security-critical applications. The UUID specification and the python documentation for uuid.uuid4() do not make any guarantees about security.
For CPython, the uuid.uuid4() implementation happens to use os.urandom as the underlying randomness source, which is in fact documented as "suitable for cryptographic use." but this is an implementation detail and should not be relied upon. Other python implementations might implement uuid4 differently, which would make running py4web on them insecure.
The places where uuid4 is used for (seemingly) cryptographic purposes:
uuids are not meant to be used for security-critical applications. The UUID specification and the python documentation for uuid.uuid4() do not make any guarantees about security.
For CPython, the uuid.uuid4() implementation happens to use os.urandom as the underlying randomness source, which is in fact documented as "suitable for cryptographic use." but this is an implementation detail and should not be relied upon. Other python implementations might implement uuid4 differently, which would make running py4web on them insecure.
The places where uuid4 is used for (seemingly) cryptographic purposes:
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/deployment_tools/gae/main.py#L14
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/py4web/utils/auth_plugins/oauth2server.py#L27
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/apps/showcase/examples/rest.py#L97
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/py4web/core.py#L1870
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/py4web/utils/auth.py#L653
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/py4web/utils/auth.py#L757
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/apps/_dashboard/__init__.py#L585
And also in these tests, which while not themselves critical, could provide a bad example:
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/tests/test_form.py#L8
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/tests/test_session.py#L23
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/tests/test_action.py#L21
- https://github.com/web2py/py4web/blob/8e7569100a3059123d1bc77c2d4be5daced436f1/tests/test_auth.py#L9
Daniel
Oct 21, 2025, 1:18:43 PMOct 21
to laundmo, py4web
seems secrets.token_urlsafe and secrets.token_hex would be a good replacement
> --
> You received this message because you are subscribed to the Google Groups "py4web" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/py4web/51d22e3f-e927-4684-88bf-e1be6c8970d7n%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "py4web" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/py4web/51d22e3f-e927-4684-88bf-e1be6c8970d7n%40googlegroups.com.
Massimo DiPierro
Oct 22, 2025, 1:50:20 AMOct 22
to py4web
Agree 100%
I would take a PR to fix or I will make one,
Reply all
Reply to author
Forward
0 new messages