Skip to content

Commit

Permalink
Fixes #5053 CWE-331 (#5056)
Browse files Browse the repository at this point in the history
Replace uses of Random with SecureRandom.
We do not believe any of these uses of Random represent any security vulnerability, but we are making this
change for an abundance of caution and to avoid warnings from 3rd party scanning tools.
  • Loading branch information
gregw authored Jul 16, 2020
1 parent 668174d commit beca81c
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.atomic.AtomicInteger;

import org.eclipse.jetty.client.HttpClient;
Expand All @@ -46,6 +46,7 @@
*/
public class DigestAuthentication extends AbstractAuthentication
{
private static final SecureRandom random = new SecureRandom();
private final String user;
private final String password;

Expand Down Expand Up @@ -216,7 +217,6 @@ private String nextNonceCount()

private String newClientNonce()
{
Random random = new Random();
byte[] bytes = new byte[8];
random.nextBytes(bytes);
return toHexString(bytes);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
Expand Down Expand Up @@ -69,6 +70,7 @@ public class MultiPartContentProvider extends AbstractTypedContentProvider imple
private static final Logger LOG = Log.getLogger(MultiPartContentProvider.class);
private static final byte[] COLON_SPACE_BYTES = new byte[]{':', ' '};
private static final byte[] CR_LF_BYTES = new byte[]{'\r', '\n'};
private static final Random random = new SecureRandom();

private final List<Part> parts = new ArrayList<>();
private final ByteBuffer firstBoundary;
Expand Down Expand Up @@ -99,7 +101,6 @@ public MultiPartContentProvider(String boundary)

private static String makeBoundary()
{
Random random = new Random();
StringBuilder builder = new StringBuilder("JettyHttpClientBoundary");
int length = builder.length();
while (builder.length() < length + 16)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

package org.eclipse.jetty.plus.webapp;

import java.security.SecureRandom;
import java.util.Random;
import javax.naming.Context;
import javax.naming.InitialContext;
Expand All @@ -39,6 +40,7 @@
public class PlusConfiguration extends AbstractConfiguration
{
private static final Logger LOG = Log.getLogger(PlusConfiguration.class);
private static final Random __random = new SecureRandom();

private Integer _key;

Expand Down Expand Up @@ -99,8 +101,7 @@ protected void lockCompEnv(WebAppContext wac)
{
try (ThreadClassLoaderScope scope = new ThreadClassLoaderScope(wac.getClassLoader()))
{
Random random = new Random();
_key = random.nextInt();
_key = __random.nextInt();
Context context = new InitialContext();
Context compCtx = (Context)context.lookup("java:comp");
compCtx.addToEnvironment(NamingContext.LOCK_PROPERTY, _key);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

package org.eclipse.jetty.websocket.client.masks;

import java.security.SecureRandom;
import java.util.Random;

import org.eclipse.jetty.websocket.common.WebSocketFrame;
Expand All @@ -28,7 +29,7 @@ public class RandomMasker implements Masker

public RandomMasker()
{
this(new Random());
this(new SecureRandom());
}

public RandomMasker(Random random)
Expand Down

0 comments on commit beca81c

Please sign in to comment.