Skip to content

fix: using SecureRandom in perf tools #2420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

yannaingtun
Copy link

Description
This PR fixes a potential security vulnerability in the randomString method in PerfConfig.java by replacing ThreadLocalRandom with SecureRandom for generating random strings.

Issue
The current implementation uses ThreadLocalRandom which is not cryptographically secure and could lead to predictable tokens when used for security purposes.

Fix
Replace ThreadLocalRandom.current() with new SecureRandom() to ensure cryptographic strength.

References
Similar to vulnerability in CVE-2017-15911
Fixed in Openfire: igniterealtime/Openfire@7ff1f73

@SCNieh
Copy link
Contributor

SCNieh commented Apr 16, 2025

Hi, thanks for your commit, however the purpose of using Random here is simply to generate non-repeatable topic names for benchmark test, so I don't think is neccessary to use a secure random generator here for there is no cryptographically need in this case

@CLAassistant
Copy link

CLAassistant commented Apr 16, 2025

CLA assistant check
All committers have signed the CLA.

@daniel-y daniel-y changed the title Fix security vulnerability in randomString method by using SecureRand… fix: using SecureRandom in perf tools Apr 22, 2025
@daniel-y
Copy link
Contributor

@yannaingtun could you please sign the CLA before merging this PR?

@SCNieh SCNieh closed this Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants