From 0ac6e172c42fc90785d3cceaa3672ded627d2ff3 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Sep 2020 12:47:35 -0400 Subject: [PATCH] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil This fixes a security vulnerability in this project where the `RandomUtil.java` file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for security sensitive data. Signed-off-by: Jonathan Leitschuh --- .../idsg/bikeman/service/util/RandomUtil.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/main/java/de/rwth/idsg/bikeman/service/util/RandomUtil.java b/src/main/java/de/rwth/idsg/bikeman/service/util/RandomUtil.java index ce69602e..7f25abea 100644 --- a/src/main/java/de/rwth/idsg/bikeman/service/util/RandomUtil.java +++ b/src/main/java/de/rwth/idsg/bikeman/service/util/RandomUtil.java @@ -2,23 +2,34 @@ import org.apache.commons.lang.RandomStringUtils; +import java.security.SecureRandom; + /** * Utility class for generating random Strings. */ public final class RandomUtil { + private static final SecureRandom SECURE_RANDOM = new SecureRandom(); private static final int DEF_COUNT = 20; + static { + SECURE_RANDOM.nextBytes(new byte[64]); + } + private RandomUtil() { } + private static String generateRandomAlphanumericString() { + return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM); + } + /** * Generates a password. * * @return the generated password */ public static String generatePassword() { - return RandomStringUtils.randomAlphanumeric(DEF_COUNT); + return generateRandomAlphanumericString(); } /** @@ -27,6 +38,6 @@ public static String generatePassword() { * @return the generated activation key */ public static String generateActivationKey() { - return RandomStringUtils.randomNumeric(DEF_COUNT); + return generateRandomAlphanumericString(); } }