orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Handle missing secret key during session save

Browse source
This commit is contained in:
pefia 2026-03-27 11:28:04 +00:00
parent 7ef2946fb5
commit b00c66248d
2 changed files with 28 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/flask/sessions.py
View file

@ -13,6 +13,12 @@ from werkzeug.datastructures import CallbackDict
from .json.tag import TaggedJSONSerializer from .json.tag import TaggedJSONSerializer
_missing_secret_key_err_msg = (
"The session is unavailable because no secret "
"key was set. Set the secret_key on the "
"application to something unique and secret."
)
if t.TYPE_CHECKING: # pragma: no cover if t.TYPE_CHECKING: # pragma: no cover
import typing_extensions as te import typing_extensions as te
@ -87,11 +93,7 @@ class NullSession(SecureCookieSession):
""" """
def _fail(self, *args: t.Any, **kwargs: t.Any) -> t.NoReturn: def _fail(self, *args: t.Any, **kwargs: t.Any) -> t.NoReturn:
raise RuntimeError( raise RuntimeError(_missing_secret_key_err_msg)
"The session is unavailable because no secret "
"key was set. Set the secret_key on the "
"application to something unique and secret."
)
__setitem__ = __delitem__ = clear = pop = popitem = update = setdefault = _fail __setitem__ = __delitem__ = clear = pop = popitem = update = setdefault = _fail
del _fail del _fail
@ -370,7 +372,12 @@ class SecureCookieSessionInterface(SessionInterface):
return return
expires = self.get_expiration_time(app, session) expires = self.get_expiration_time(app, session)
val = self.get_signing_serializer(app).dumps(dict(session)) # type: ignore[union-attr] s = self.get_signing_serializer(app)
if s is None:
raise RuntimeError(_missing_secret_key_err_msg)
val = s.dumps(dict(session))
response.set_cookie( response.set_cookie(
name, name,
val, val,

15
tests/test_session_interface.py
View file

@ -1,3 +1,5 @@
import pytest
import flask import flask
from flask.globals import app_ctx from flask.globals import app_ctx
from flask.sessions import SessionInterface from flask.sessions import SessionInterface
@ -26,3 +28,16 @@ def test_open_session_with_endpoint():
response = app.test_client().get("/") response = app.test_client().get("/")
assert response.status_code == 200 assert response.status_code == 200
def test_save_session_without_secret_key(app):
app.secret_key = "test key"
session = app.session_interface.session_class({"foo": "bar"})
session.modified = True
app.secret_key = None
with pytest.raises(RuntimeError) as e:
app.session_interface.save_session(app, session, app.response_class())
assert e.value.args and "session is unavailable" in e.value.args[0]
assert "no secret key was set" in e.value.args[0]