Secret key exposed on oTreeHub with single-line triple-quoted string

[peterjc]

There doesn't seem to be a search option, so the page number may change...

1. Goto https://www.otreehub.com/projects/?page=6 (page number will change)
2. Find the "test-carl" entry:

test-carl

Links

• Demo
• Browse source code
• Download

Description
""" SECRET_KEY = "#n38c)phqy1^2qhv8pk18i_3v9b%#n+*y__@611$a+s#$&a4ao" # if an app is included in SESSION_CONFIGS, you don"t need to list it here INSTALLED_APPS = ["otree"] #DATABASE_URL = "postgres://postgres@localhost/django_db" #REDIS_URL = "redis://localhost:6379"

Apps

• effort Separate players based on real effort task and gender into groups competing against each other
• Veronika ""\n

Last updated
2020-11-03

3. Notice the secret key is shown as if it was part of DEMO_PAGE_INTRO_HTML setting.
4. Click the tool title link, or go to https://www.otreehub.com/projects/test-carl/
5. Again the SECRET_KEY is visible and following lines too
6. Click "browse source code"
7. Click "settings.py"
8. The file currently ends as follows:

...
#OTREE_AUTH_LEVEL = "STUDY"
ADMIN_USERNAME = "admin"
# for security, best to set admin password in an environment variable
ADMIN_PASSWORD = environ.get("OTREE_ADMIN_PASSWORD")

DEMO_PAGE_INTRO_HTML = """ """

SECRET_KEY = "#n38c)phqy1^2qhv8pk18i_3v9b%#n+*y__@611$a+s#$&a4ao"

# if an app is included in SESSION_CONFIGS, you don"t need to list it here
INSTALLED_APPS = ["otree"]

#DATABASE_URL = "postgres://postgres@localhost/django_db"
#REDIS_URL = "redis://localhost:6379"

"""environ["DATABASE_URL"] = "postgres://postgres@localhost/django_db"
environ["REDIS_URL"] = "redis://localhost:6379"
environ["OTREE_ADMIN_PASSWORD"] = "odraSe5ku"
environ["OTREE_AUTH_LEVEL"] = "STUDY" 
STATICFILES_DIRS = [os.path.join(BASE_DIR, "static/effort/data")]
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
STATIC_URL = "/static/" """

if environ.get('OTREE_PRODUCTION') not in {None, '', '0'}:
    DEBUG = False
else:
    DEBUG = True

environ["OTREE_AUTH_LEVEL"] = "STUDY"
environ["OTREE_ADMIN_PASSWORD"] = "odraSe5ku"
PRODUCTION = 1

9. Notice the line DEMO_PAGE_INTRO_HTML = """ """ sets the description to a single space.
10. Notice the text shown continues to the start of a multi-line string (being used as a comment).
11. I suspect that oTree Hub is somehow parsing settings.py to try to pull out the value, and this corner case of a triple-quoted string on a single-line breaks it - and it continues taking text until the next triple-quote.

[peterjc]

(This isn't a serious security issue because by design the SECRET_KEY is visible anyway by downloading or browsing the source code)

[oTree-org]

Thanks for reporting, it’s OK because SECRET_KEY is actually ignored when on oTree Hub / Heroku.

…

Sent from my phone

On Sep 24, 2021, at 6:38 AM, Peter Cock ***@***.***> wrote:  (This isn't a serious security issue because by design the SECRET_KEY is visible anyway by downloading or browsing the source code) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.