mirror of
https://github.com/paperless-ngx/paperless-ngx.git
synced 2026-07-12 15:05:08 +00:00
Security: Improve overall security in a few ways (#12501)
- Make sure we're always using regex with timeouts for user controlled data - Adds rate limiting to the token endpoint (configurable) - Signs the classifier pickle file with the SECRET_KEY and refuse to load one which doesn't verify. - Require the user to set a secret key, instead of falling back to our old hard coded one
This commit is contained in:
@@ -11,6 +11,7 @@ from typing import Final
|
||||
from urllib.parse import urlparse
|
||||
|
||||
from compression_middleware.middleware import CompressionMiddleware
|
||||
from django.core.exceptions import ImproperlyConfigured
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from dotenv import load_dotenv
|
||||
|
||||
@@ -161,6 +162,9 @@ REST_FRAMEWORK = {
|
||||
"ALLOWED_VERSIONS": ["9", "10"],
|
||||
# DRF Spectacular default schema
|
||||
"DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
|
||||
"DEFAULT_THROTTLE_RATES": {
|
||||
"login": os.getenv("PAPERLESS_TOKEN_THROTTLE_RATE", "5/min"),
|
||||
},
|
||||
}
|
||||
|
||||
if DEBUG:
|
||||
@@ -460,13 +464,13 @@ SECURE_PROXY_SSL_HEADER = (
|
||||
else None
|
||||
)
|
||||
|
||||
# The secret key has a default that should be fine so long as you're hosting
|
||||
# Paperless on a closed network. However, if you're putting this anywhere
|
||||
# public, you should change the key to something unique and verbose.
|
||||
SECRET_KEY = os.getenv(
|
||||
"PAPERLESS_SECRET_KEY",
|
||||
"e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee",
|
||||
)
|
||||
SECRET_KEY = os.getenv("PAPERLESS_SECRET_KEY", "")
|
||||
if not SECRET_KEY: # pragma: no cover
|
||||
raise ImproperlyConfigured(
|
||||
"PAPERLESS_SECRET_KEY is not set. "
|
||||
"A unique, secret key is required for secure operation. "
|
||||
'Generate one with: python3 -c "import secrets; print(secrets.token_urlsafe(64))"',
|
||||
)
|
||||
|
||||
AUTH_PASSWORD_VALIDATORS = [
|
||||
{
|
||||
|
||||
@@ -34,6 +34,7 @@ from rest_framework.pagination import PageNumberPagination
|
||||
from rest_framework.permissions import DjangoModelPermissions
|
||||
from rest_framework.permissions import IsAuthenticated
|
||||
from rest_framework.response import Response
|
||||
from rest_framework.throttling import ScopedRateThrottle
|
||||
from rest_framework.viewsets import ModelViewSet
|
||||
|
||||
from documents.permissions import PaperlessObjectPermissions
|
||||
@@ -51,6 +52,8 @@ from paperless_ai.indexing import vector_store_file_exists
|
||||
|
||||
class PaperlessObtainAuthTokenView(ObtainAuthToken):
|
||||
serializer_class = PaperlessAuthTokenSerializer
|
||||
throttle_classes = [ScopedRateThrottle]
|
||||
throttle_scope = "login"
|
||||
|
||||
|
||||
class StandardPagination(PageNumberPagination):
|
||||
|
||||
Reference in New Issue
Block a user