Replies: 2 comments 3 replies
-
|
What would be a use case for signing tasks? I should think that only trusted code would add tasks to the queue, so there's no point in verifying the authenticity of a task. |
Beta Was this translation helpful? Give feedback.
-
|
An attacker would have to nab the Django secret key and have write access to your backend rather than just the latter. It prevents people with access to your backend but not your app adding their own tasks. Just making this up, if you have a task that creates a new user with so and so permissions, enqueued on a RabbitMQ backend, if you have a RabbitMQ misconfiguration, somebody could slip in their own task to create a user with admin privileges. |
Beta Was this translation helpful? Give feedback.
-
|
That makes sense. But the attacker would only be able to add tasks that are already defined in the application, so unless you have a task for creating users with arbitrary attributes, it won't be possible for them to create admin users. I think it's feasible to implement signatures on top of what django-tasks provides: just have each task check its arguments, perhaps using a decorator to avoid repeating the logic. I think most people might not want signature checking, and it's a trade-off, as it does involve some computational overhead. |
Beta Was this translation helpful? Give feedback.
-
|
Agreed, task signatures could be behind an optional flag. |
Beta Was this translation helpful? Give feedback.
-
|
Similar comments to this came up during the DEP drafting process: django/deps#86 (comment) |
Beta Was this translation helpful? Give feedback.
-
Django has a great built-in in the
django.core.signing.Signerpackage. Allow backends to indicate if they support signed tasks, say with.supports_signed_taskor similar? The backend could sign the serialized task during the enqueue action and the backend worker would be responsible for deserializing and checking the signature.Beta Was this translation helpful? Give feedback.
All reactions