1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Refs #32191 -- Added Signer.sign_object()/unsign_object().

Co-authored-by: Craig Smith <hello@craigiansmith.com.au>
This commit is contained in:
Florian Apolloner 2020-12-19 14:21:12 +01:00 committed by Mariusz Felisiak
parent 5bcba16c01
commit 102d92fc09
4 changed files with 126 additions and 32 deletions

View File

@ -107,21 +107,7 @@ def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer,
The serializer is expected to return a bytestring.
"""
data = serializer().dumps(obj)
# Flag for if it's been compressed or not
is_compressed = False
if compress:
# Avoid zlib dependency unless compress is being used
compressed = zlib.compress(data)
if len(compressed) < (len(data) - 1):
data = compressed
is_compressed = True
base64d = b64_encode(data).decode()
if is_compressed:
base64d = '.' + base64d
return TimestampSigner(key, salt=salt).sign(base64d)
return TimestampSigner(key, salt=salt).sign_object(obj, serializer=serializer, compress=compress)
def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None):
@ -130,17 +116,7 @@ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, ma
The serializer is expected to accept a bytestring.
"""
# TimestampSigner.unsign() returns str but base64 and zlib compression
# operate on bytes.
base64d = TimestampSigner(key, salt=salt).unsign(s, max_age=max_age).encode()
decompress = base64d[:1] == b'.'
if decompress:
# It's compressed; uncompress it first
base64d = base64d[1:]
data = b64_decode(base64d)
if decompress:
data = zlib.decompress(data)
return serializer().loads(data)
return TimestampSigner(key, salt=salt).unsign_object(s, serializer=serializer, max_age=max_age)
class Signer:
@ -183,6 +159,44 @@ class Signer:
return value
raise BadSignature('Signature "%s" does not match' % sig)
def sign_object(self, obj, serializer=JSONSerializer, compress=False):
"""
Return URL-safe, hmac signed base64 compressed JSON string.
If compress is True (not the default), check if compressing using zlib
can save some space. Prepend a '.' to signify compression. This is
included in the signature, to protect against zip bombs.
The serializer is expected to return a bytestring.
"""
data = serializer().dumps(obj)
# Flag for if it's been compressed or not.
is_compressed = False
if compress:
# Avoid zlib dependency unless compress is being used.
compressed = zlib.compress(data)
if len(compressed) < (len(data) - 1):
data = compressed
is_compressed = True
base64d = b64_encode(data).decode()
if is_compressed:
base64d = '.' + base64d
return self.sign(base64d)
def unsign_object(self, signed_obj, serializer=JSONSerializer, **kwargs):
# Signer.unsign() returns str but base64 and zlib compression operate
# on bytes.
base64d = self.unsign(signed_obj, **kwargs).encode()
decompress = base64d[:1] == b'.'
if decompress:
# It's compressed; uncompress it first.
base64d = base64d[1:]
data = b64_decode(base64d)
if decompress:
data = zlib.decompress(data)
return serializer().loads(data)
class TimestampSigner(Signer):

View File

@ -451,6 +451,15 @@ Security
``SECRET_KEY``, and then going on to access ``settings.SECRET_KEY`` will now
raise an :exc:`~django.core.exceptions.ImproperlyConfigured` exception.
* The new ``Signer.sign_object()`` and ``Signer.unsign_object()`` methods allow
signing complex data structures. See :ref:`signing-complex-data` for more
details.
Also, :func:`signing.dumps() <django.core.signing.dumps>` and
:func:`~django.core.signing.loads` become shortcuts for
:meth:`.TimestampSigner.sign_object` and
:meth:`~.TimestampSigner.unsign_object`.
Serialization
~~~~~~~~~~~~~

View File

@ -62,6 +62,18 @@ value::
>>> original
'2.5'
If you wish to protect a list, tuple, or dictionary you can do so using the
``sign_object()`` and ``unsign_object()`` methods::
>>> signed_obj = signer.sign_object({'message': 'Hello!'})
>>> signed_obj
'eyJtZXNzYWdlIjoiSGVsbG8hIn0:Xdc-mOFDjs22KsQAqfVfi8PQSPdo3ckWJxPWwQOFhR4'
>>> obj = signer.unsign_object(signed_obj)
>>> obj
{'message': 'Hello!'}
See :ref:`signing-complex-data` for more details.
If the signature or value have been altered in any way, a
``django.core.signing.BadSignature`` exception will be raised::
@ -93,6 +105,10 @@ generate signatures. You can use a different secret by passing it to the
The ``algorithm`` parameter was added.
.. versionchanged:: 3.2
The ``sign_object()`` and ``unsign_object()`` methods were added.
Using the ``salt`` argument
---------------------------
@ -104,11 +120,17 @@ your :setting:`SECRET_KEY`::
>>> signer = Signer()
>>> signer.sign('My string')
'My string:GdMGD6HNQ_qdgxYP8yBZAdAIV1w'
>>> signer.sign_object({'message': 'Hello!'})
'eyJtZXNzYWdlIjoiSGVsbG8hIn0:Xdc-mOFDjs22KsQAqfVfi8PQSPdo3ckWJxPWwQOFhR4'
>>> signer = Signer(salt='extra')
>>> signer.sign('My string')
'My string:Ee7vGi-ING6n02gkcJ-QLHg6vFw'
>>> signer.unsign('My string:Ee7vGi-ING6n02gkcJ-QLHg6vFw')
'My string'
>>> signer.sign_object({'message': 'Hello!'})
'eyJtZXNzYWdlIjoiSGVsbG8hIn0:-UWSLCE-oUAHzhkHviYz3SOZYBjFKllEOyVZNuUtM-I'
>>> signer.unsign_object('eyJtZXNzYWdlIjoiSGVsbG8hIn0:-UWSLCE-oUAHzhkHviYz3SOZYBjFKllEOyVZNuUtM-I')
{'message': 'Hello!'}
Using salt in this way puts the different signatures into different
namespaces. A signature that comes from one namespace (a particular salt
@ -121,6 +143,10 @@ different salt.
Unlike your :setting:`SECRET_KEY`, your salt argument does not need to stay
secret.
.. versionchanged:: 3.2
The ``sign_object()`` and ``unsign_object()`` methods were added.
Verifying timestamped values
----------------------------
@ -156,23 +182,48 @@ created within a specified period of time::
otherwise raises ``SignatureExpired``. The ``max_age`` parameter can
accept an integer or a :py:class:`datetime.timedelta` object.
.. method:: sign_object(obj, serializer=JSONSerializer, compress=False)
.. versionadded:: 3.2
Encode, optionally compress, append current timestamp, and sign complex
data structure (e.g. list, tuple, or dictionary).
.. method:: unsign_object(signed_obj, serializer=JSONSerializer, max_age=None)
.. versionadded:: 3.2
Checks if ``signed_obj`` was signed less than ``max_age`` seconds ago,
otherwise raises ``SignatureExpired``. The ``max_age`` parameter can
accept an integer or a :py:class:`datetime.timedelta` object.
.. versionchanged:: 3.1
The ``algorithm`` parameter was added.
.. _signing-complex-data:
Protecting complex data structures
----------------------------------
If you wish to protect a list, tuple or dictionary you can do so using the
signing module's ``dumps`` and ``loads`` functions. These imitate Python's
pickle module, but use JSON serialization under the hood. JSON ensures that
even if your :setting:`SECRET_KEY` is stolen an attacker will not be able
to execute arbitrary commands by exploiting the pickle format::
``Signer.sign_object()`` and ``unsign_object()`` methods, or signing module's
``dumps()`` or ``loads()`` functions (which are shortcuts for
``TimestampSigner(salt='django.core.signing').sign_object()/unsign_object()``).
These use JSON serialization under the hood. JSON ensures that even if your
:setting:`SECRET_KEY` is stolen an attacker will not be able to execute
arbitrary commands by exploiting the pickle format::
>>> from django.core import signing
>>> value = signing.dumps({"foo": "bar"})
>>> signer = signing.TimestampSigner()
>>> value = signer.sign_object({'foo': 'bar'})
>>> value
'eyJmb28iOiJiYXIifQ:1NMg1b:zGcDE4-TCkaeGzLeW9UQwZesciI'
'eyJmb28iOiJiYXIifQ:1kx6R3:D4qGKiptAqo5QW9iv4eNLc6xl4RwiFfes6oOcYhkYnc'
>>> signer.unsign_object(value)
{'foo': 'bar'}
>>> value = signing.dumps({'foo': 'bar'})
>>> value
'eyJmb28iOiJiYXIifQ:1kx6Rf:LBB39RQmME-SRvilheUe5EmPYRbuDBgQp2tCAi7KGLk'
>>> signing.loads(value)
{'foo': 'bar'}
@ -194,3 +245,7 @@ and tuples) if you pass in a tuple, you will get a list from
Reverse of ``dumps()``, raises ``BadSignature`` if signature fails.
Checks ``max_age`` (in seconds) if given.
.. versionchanged:: 3.2
The ``sign_object()`` and ``unsign_object()`` methods were added.

View File

@ -122,6 +122,22 @@ class TestSigner(SimpleTestCase):
with self.assertRaises(signing.BadSignature):
signer.unsign(transform(signed_value))
def test_sign_unsign_object(self):
signer = signing.Signer('predictable-secret')
tests = [
['a', 'list'],
'a string \u2019',
{'a': 'dictionary'},
]
for obj in tests:
with self.subTest(obj=obj):
signed_obj = signer.sign_object(obj)
self.assertNotEqual(obj, signed_obj)
self.assertEqual(obj, signer.unsign_object(signed_obj))
signed_obj = signer.sign_object(obj, compress=True)
self.assertNotEqual(obj, signed_obj)
self.assertEqual(obj, signer.unsign_object(signed_obj))
def test_dumps_loads(self):
"dumps and loads be reversible for any JSON serializable object"
objects = [