Skip to content

fix: using SecureRandom in perf tools #2420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: using SecureRandom in perf tools #2420

wants to merge 1 commit into from

Conversation

yannaingtun
Copy link

Description
This PR fixes a potential security vulnerability in the randomString method in PerfConfig.java by replacing ThreadLocalRandom with SecureRandom for generating random strings.

Issue
The current implementation uses ThreadLocalRandom which is not cryptographically secure and could lead to predictable tokens when used for security purposes.

Fix
Replace ThreadLocalRandom.current() with new SecureRandom() to ensure cryptographic strength.

References
Similar to vulnerability in CVE-2017-15911
Fixed in Openfire: igniterealtime/Openfire@7ff1f73

@SCNieh
Copy link
Contributor

SCNieh commented Apr 16, 2025

Hi, thanks for your commit, however the purpose of using Random here is simply to generate non-repeatable topic names for benchmark test, so I don't think is neccessary to use a secure random generator here for there is no cryptographically need in this case

@CLAassistant
Copy link

CLAassistant commented Apr 16, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@daniel-y daniel-y changed the title Fix security vulnerability in randomString method by using SecureRand… fix: using SecureRandom in perf tools Apr 22, 2025
@daniel-y
Copy link
Contributor

@yannaingtun could you please sign the CLA before merging this PR?

@SCNieh SCNieh closed this Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@superhx superhx Awaiting requested review from superhx superhx is a code owner

@SCNieh SCNieh Awaiting requested review from SCNieh SCNieh is a code owner

@Chillax-0v0 Chillax-0v0 Awaiting requested review from Chillax-0v0 Chillax-0v0 is a code owner

@Gezi-lzq Gezi-lzq Awaiting requested review from Gezi-lzq Gezi-lzq is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yannaingtun @SCNieh @CLAassistant @daniel-y