From ccca82407cd40dfed91436aaea41e97b44db6a23 Mon Sep 17 00:00:00 2001
From: Alexey Efimov <3126299+mr-africa@users.noreply.github.com>
Date: Thu, 9 Dec 2021 17:30:11 +0500
Subject: [PATCH] change java.util.Random to java.security.SecureRandom (#1831)

---
 CHANGELOG.md                                        | 1 +
 sentry/src/main/java/io/sentry/SentryClient.java    | 6 +++---
 sentry/src/main/java/io/sentry/TracesSampler.java   | 8 ++++----
 sentry/src/test/java/io/sentry/TracesSamplerTest.kt | 4 ++--
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93603d13ad0..8e51e7fb8ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 * Ref: Rename Fragment span operation from `ui.fragment.load` to `ui.load` (#1824)
+* Ref: change `java.util.Random` to `java.security.SecureRandom` for possible security reasons (#1831)
 * Fix: Sending errors in Spring WebFlux integration (#1819)
 
 ## 5.4.3
diff --git a/sentry/src/main/java/io/sentry/SentryClient.java b/sentry/src/main/java/io/sentry/SentryClient.java
index 615995dda47..b7fb87f4906 100644
--- a/sentry/src/main/java/io/sentry/SentryClient.java
+++ b/sentry/src/main/java/io/sentry/SentryClient.java
@@ -9,6 +9,7 @@
 import io.sentry.util.Objects;
 import java.io.Closeable;
 import java.io.IOException;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -16,7 +17,6 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Random;
 import org.jetbrains.annotations.ApiStatus;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -29,7 +29,7 @@ public final class SentryClient implements ISentryClient {
 
   private final @NotNull SentryOptions options;
   private final @NotNull ITransport transport;
-  private final @Nullable Random random;
+  private final @Nullable SecureRandom random;
 
   private final @NotNull SortBreadcrumbsByDate sortBreadcrumbsByDate = new SortBreadcrumbsByDate();
 
@@ -51,7 +51,7 @@ public boolean isEnabled() {
     final RequestDetailsResolver requestDetailsResolver = new RequestDetailsResolver(options);
     transport = transportFactory.create(options, requestDetailsResolver.resolve());
 
-    this.random = options.getSampleRate() == null ? null : new Random();
+    this.random = options.getSampleRate() == null ? null : new SecureRandom();
   }
 
   private boolean shouldApplyScopeData(
diff --git a/sentry/src/main/java/io/sentry/TracesSampler.java b/sentry/src/main/java/io/sentry/TracesSampler.java
index 4babf853e2c..9f14ec95028 100644
--- a/sentry/src/main/java/io/sentry/TracesSampler.java
+++ b/sentry/src/main/java/io/sentry/TracesSampler.java
@@ -1,20 +1,20 @@
 package io.sentry;
 
 import io.sentry.util.Objects;
-import java.util.Random;
+import java.security.SecureRandom;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.TestOnly;
 
 final class TracesSampler {
   private final @NotNull SentryOptions options;
-  private final @NotNull Random random;
+  private final @NotNull SecureRandom random;
 
   public TracesSampler(final @NotNull SentryOptions options) {
-    this(Objects.requireNonNull(options, "options are required"), new Random());
+    this(Objects.requireNonNull(options, "options are required"), new SecureRandom());
   }
 
   @TestOnly
-  TracesSampler(final @NotNull SentryOptions options, final @NotNull Random random) {
+  TracesSampler(final @NotNull SentryOptions options, final @NotNull SecureRandom random) {
     this.options = options;
     this.random = random;
   }
diff --git a/sentry/src/test/java/io/sentry/TracesSamplerTest.kt b/sentry/src/test/java/io/sentry/TracesSamplerTest.kt
index e3f1aab6dfd..595d853181b 100644
--- a/sentry/src/test/java/io/sentry/TracesSamplerTest.kt
+++ b/sentry/src/test/java/io/sentry/TracesSamplerTest.kt
@@ -2,7 +2,7 @@ package io.sentry
 
 import com.nhaarman.mockitokotlin2.mock
 import com.nhaarman.mockitokotlin2.whenever
-import java.util.Random
+import java.security.SecureRandom
 import kotlin.test.Test
 import kotlin.test.assertFalse
 import kotlin.test.assertTrue
@@ -10,7 +10,7 @@ import kotlin.test.assertTrue
 class TracesSamplerTest {
     class Fixture {
         internal fun getSut(randomResult: Double? = null, tracesSampleRate: Double? = null, tracesSamplerResult: Double? = Double.MIN_VALUE): TracesSampler {
-            val random = mock<Random>()
+            val random = mock<SecureRandom>()
             if (randomResult != null) {
                 whenever(random.nextDouble()).thenReturn(randomResult)
             }