From 5bbd2e7b112ad1a92a192e2aaa7de582ad1edd39 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Sep 2020 02:49:44 -0400 Subject: [PATCH] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil This fixes a security vulnerability in this project where the `RandomUtil.java` file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for security sensitive data. Signed-off-by: Jonathan Leitschuh --- .../com/adama/api/util/random/RandomUtil.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/adama-core/src/main/java/com/adama/api/util/random/RandomUtil.java b/adama-core/src/main/java/com/adama/api/util/random/RandomUtil.java index a748b87..c357a11 100644 --- a/adama-core/src/main/java/com/adama/api/util/random/RandomUtil.java +++ b/adama-core/src/main/java/com/adama/api/util/random/RandomUtil.java @@ -2,22 +2,33 @@ import org.apache.commons.lang.RandomStringUtils; +import java.security.SecureRandom; + /** * Utility class for generating random Strings. */ public final class RandomUtil { + private static final SecureRandom SECURE_RANDOM = new SecureRandom(); private static final int DEF_COUNT = 20; + static { + SECURE_RANDOM.nextBytes(new byte[64]); + } + private RandomUtil() { } + private static String generateRandomAlphanumericString() { + return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM); + } + /** * Generates a password. * * @return the generated password */ public static String generatePassword() { - return RandomStringUtils.randomAlphanumeric(DEF_COUNT); + return generateRandomAlphanumericString(); } /** @@ -26,6 +37,6 @@ public static String generatePassword() { * @return the generated reset key */ public static String generateResetKey() { - return RandomStringUtils.randomNumeric(DEF_COUNT); + return generateRandomAlphanumericString(); } }