Skip to content

[Enhancement]: Optimize insecure random number generation in function … util/string.go:RandomString #2698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 23, 2023
Merged

[Enhancement]: Optimize insecure random number generation in function … util/string.go:RandomString #2698

merged 1 commit into from
Oct 23, 2023

Conversation

true1064
Copy link
Contributor

@true1064 true1064 commented Oct 23, 2023
edited
Loading

What this PR does / why we need it:
refer fo https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm

function RandomString in util/string.go is insecure,for it is using pseudorandom generator and time stamp as random seed, this could allow an attacker to predict and/or guess the generated string.

shuold replace the pseudorandom generator withTrue Random Number Generator.

Which issue this PR fixes:

fixes #2696

@netlify
Copy link

netlify bot commented Oct 23, 2023
edited
Loading

Deploy Preview for cubefs-check ready!

Name Link
🔨 Latest commit 99b1b28
🔍 Latest deploy log https://app.netlify.com/sites/cubefs-check/deploys/6535daa9de132d0008f13eb8
😎 Deploy Preview https://deploy-preview-2698--cubefs-check.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov
Copy link

codecov bot commented Oct 23, 2023
edited
Loading

Codecov Report

Merging #2698 (99b1b28) into master (71cbf46) will decrease coverage by 0.02%.
The diff coverage is 60.00%.

@@            Coverage Diff             @@
##           master    #2698      +/-   ##
==========================================
- Coverage   42.13%   42.12%   -0.02%     
==========================================
  Files         568      568              
  Lines      117072   117074       +2     
==========================================
- Hits        49334    49316      -18     
- Misses      63501    63525      +24     
+ Partials     4237     4233       -4
Files Coverage Δ
util/string.go 81.25% <100.00%> (ø)
proto/packet.go 0.00% <0.00%> (ø)

... and 14 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

baijiaruo
baijiaruo approved these changes Oct 23, 2023
View reviewed changes
Copy link
Collaborator

@baijiaruo baijiaruo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

leonrayang
leonrayang approved these changes Oct 23, 2023
View reviewed changes
Copy link
Member

@leonrayang leonrayang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@true1064
[Enhancement]: Optimize insecure random number generation in function…
99b1b28 
… util/string.go:RandomString

close: cubefs#2696
Signed-off-by: true1064 <tangjingyu@oppo.com>
@true1064 true1064 merged commit 8555c64 into cubefs:master Oct 23, 2023
@bboyCH4 bboyCH4 added this to the release-3.3.1 milestone Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baijiaruo baijiaruo baijiaruo approved these changes

@leonrayang leonrayang leonrayang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
release-3.3.1
Development

Successfully merging this pull request may close these issues.

[Enhancement]: Optimize insecure random number generation in function util/string.go:RandomString
4 participants
@true1064 @baijiaruo @leonrayang @bboyCH4