Project

General

Profile

Actions

Bug #21669

closed

Stop using UUIDs as system token

Added by Alexis Mousset about 2 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

And use random chars directly from SecureRandom, as done for other tokens.

The current only implementation of StringUuidGenerator uses java.util.UUID.randomUUID, which in turn gets 122 bits (because a part of the uuid is not random) from java.security.SecureRandom, which is suitable for the purpose.

But this is sub-optimal for two reasons:

  • It does not communicate the intent. UUID are meant to be unique, not cryptographically secure.
  • The StringUuidGenerator trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.

Subtasks 1 (0 open1 closed)

Bug #21801: Bad init order for the token generator used for system api tokenReleasedAlexis MoussetActions
Actions

Also available in: Atom PDF