ZhenYi/gitdataai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden session key derivation from APP_SESSION_SECRET

Browse Source 
- Reject secrets shorter than 32 bytes (fall back to generated key)
- Use SHA-256 hash instead of naive byte cycling to derive the key
  (cycling "password" to 64 bytes gave extremely low entropy)
This commit is contained in:
ZhenYi 2026-04-27 13:59:31 +08:00
parent 0a272ed63a
commit 6a123170a1
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apps/app/src/main.rs
View File

@ -107,8 +107,18 @@ where
fn build_session_key(cfg: &AppConfig) -> anyhow::Result<Key> {
if let Some(secret) = cfg.env.get("APP_SESSION_SECRET") {
let bytes: Vec<u8> = secret.as_bytes().iter().cycle().take(64).copied().collect();
return Ok(Key::from(&bytes));
if secret.len() < 32 {
tracing::warn!(
secret_len = secret.len(),
"APP_SESSION_SECRET is too short (<32 bytes), using generated key instead"
);
return Ok(Key::generate());
}
use sha2::{Digest, Sha256};
let mut hasher = Sha256::new();
hasher.update(secret.as_bytes());
let hash = hasher.finalize();
return Ok(Key::from(hash.as_slice()));
}
Ok(Key::generate())
}