0

In my study, I have generated my SECRET_KEY every time I start the project. For this I use a variable in .env and the eval function in settings.py. These files look like this:

.env

SECRET_KEY_VALUE_ENV = secrets.token_hex(100)

settings.py

import secrets

SECRET_KEY = eval(os.environ.get('SECRET_KEY_VALUE_ENV'))

Is there any problem in generating the SECRET_KEY this way?

Tonechas
  • 13,398
  • 16
  • 46
  • 80
Edgar Bruno
  • 1
  • Not an exact duplicate but see [this question](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key). – Selcuk Sep 16 '21 at 00:22

1 Answers1

0

Do not use dangerous functions like eval() on a value that you do not fully control.
You do not need the eval() anyway.

If another program or script manages to set the value of SECRET_KEY_VALUE_ENV in your environment, you'll have Remote Code Execution on your machine.

Scrape the eval() and use this instead:

SECRET_KEY = os.environ.get('SECRET_KEY_VALUE_ENV')

The better way of generating the SECRET_KEY is to simply:

from django.core.management.utils import get_random_secret_key  
SECRET_KEY_VALUE_ENV = get_random_secret_key()
isopach
  • 1,783
  • 7
  • 31
  • 43
  • I changed this setting. I was taint this problem and appeared randomly [ Session data corrupted ]... Thanks for your comment. – Edgar Bruno Sep 23 '21 at 17:16