Pickle Vulnerabilities#


The python pickle module has known security vulnerabilities, potentially leading to code execution when deserialzing data.

This means it should only be used to deserialize data that you trust hasn’t been tampered with. Since this isn’t always possible, aiohttp-client-cache can optionally use itsdangerous to add a layer of security around these operations. It works by signing serialized data with a secret key that you control. Then, if the data is tampered with, the signature check fails and raises an error.

Creating and Storing a Secret Key#

To enable this behavior, first create a secret key, which can be any str or bytes object.

One common pattern for handling this is to store it wherever you store the rest of your credentials (Linux keyring, macOS keychain, password database, etc.), set it in an environment variable, and then read it in your application:

>>> import os
>>> secret_key = os.environ['SECRET_KEY']

Alternatively, you can use the keyring package to read the key directly:

>>> import keyring
>>> secret_key = keyring.get_password('aiohttp-example', 'secret_key')

Signing Cached Responses#

Once you have your key, just pass it to CachedSession or install_cache() to start using it:

>>> from aiohttp_client_cache import CachedSession, RedisBackend

>>> cache = RedisBackend(secret_key=secret_key)
>>> async with CachedSession(cache=cache) as session:
>>>     await session.get('')

You can verify that it’s working by modifying the cached item (without your key):

>>> cache_2 = RedisBackend(secret_key='a different key')
>>> async with CachedSession(cache=cache) as session_2:
>>>     cache_key = list(await session_2.cache.responses.keys())[0]
>>>     await session_2.cache.responses.write(cache_key, 'exploit!')

Then, if you try to get that cached response again (with your key), you will get an error:

>>> async with CachedSession(cache=cache) as session:
>>>     await session.get('')
BadSignature: Signature b'iFNmzdUOSw5vqrR9Cb_wfI1EoZ8' does not match