Actions
Bug #21669
closedStop using UUIDs as system token
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
And use random chars directly from SecureRandom, as done for other tokens.
The current only implementation of StringUuidGenerator
uses java.util.UUID.randomUUID
, which in turn gets 122 bits (because a part of the uuid is not random) from java.security.SecureRandom
, which is suitable for the purpose.
But this is sub-optimal for two reasons:
- It does not communicate the intent. UUID are meant to be unique, not cryptographically secure.
- The
StringUuidGenerator
trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.
Updated by Alexis Mousset over 2 years ago
- Subject changed from Stop using UUIDs for system token to Stop using UUIDs as system token
Updated by Alexis Mousset about 2 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset about 2 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/4490
Updated by Alexis Mousset about 2 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|78ee0cd2e4f739c912727a1faedb2f1ab7e95133.
Updated by Vincent MEMBRÉ almost 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.3.0~beta1 which was released today.
Actions