search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.5k stars 902 forks source link

Django 5.x does no longer support PickleSerializer #7761

Open PKizzle opened 11 months ago

PKizzle commented 11 months ago

Describe the bug With the upcoming Django 5.0 release (currently release candidate 1 is available) the PickleSerializer is no longer supported. Currently authentik uses this serializer for session serialization. This also has security implications as the PickleSerializer is deemed dangerous. Switching to the JSONSerializer is currently not possible as it prevents authentik from starting up correctly.

To Reproduce

  1. Change the PickleSerializer to JSONSerializer. https://github.com/goauthentik/authentik/blob/2bc4506f9e46a095b1b1f3db9b6f381c110a5a8c/authentik/root/settings.py#L207
  2. Boot up authentik
  3. Check prometheus for alerts that no connection to the worker can be established

Expected behavior Authentik should startup correctly.

Screenshots Prometheus alert https://ok8.sh/i/hguJa6.png

Logs authentik-server.log authentik-worker.log

Version and Deployment (please complete the following information):

BeryJu commented 11 months ago

Thanks for the notice, I must've missed this in the django 5.0 release notes. For the time being we'll stay with the pickle serializer; there'd have to be quite a few changes to make the JSON serializer work since we store things like FlowPlan instances in the session, and we rely on them being serialized as-is with all the database models

I do in general agree that there are potential security concerns with pickle but I think its outside of the threat model as if someone was able to write data to the session in an uncontrolled way (be it with pickle or json), they could become any user

PKizzle commented 11 months ago

I understand that moving away from pickle requires a lot of work in the form of custom de-/serialization methods. Could you make a rough estimate how many classes require custom de-/serialization in order to move to the JSON serializer?

If someone would want to work on that topic how is it possible to debug the session serialization? The log files do not contain any errors hinting in that direction.

BeryJu commented 11 months ago

The main one I'm thinking of is the flow executor which stores the flow plan with all bindings and such in the session, but realistically all uses of the session would have to be inspected to be sure

authentik-automation[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.