This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
commit cf086a2b476cc86ed8acc017f42481d8170a50f5 Author: Jacques Le Roux <[email protected]> AuthorDate: Sun Dec 5 08:08:00 2021 +0100 Improved: Fix some bugs Spotbugs reports (OFBIZ-12386) In GitHubEvents::gitHubRedirect, random object created and used only once. This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object. This produces mediocre quality random numbers and is inefficient. If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number is required invoke a method on the existing Random object to obtain it. Also fixes 2 Javadoc errors In SampleHtmlThread, uses SecureRandom rather than Random class In LinkedInEvents::linkedInRedirect, uses SecureRandom rather than Random class Also fixes 2 Javadoc errors --- .../java/org/apache/ofbiz/passport/event/GitHubEvents.java | 13 +++++++------ .../org/apache/ofbiz/passport/event/LinkedInEvents.java | 13 +++++++------ .../apache/ofbiz/htmlreport/sample/SampleHtmlThread.java | 7 +++---- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java b/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java index f1e6530..043de1f 100644 --- a/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java +++ b/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java @@ -24,8 +24,8 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.URLDecoder; import java.net.URLEncoder; +import java.security.SecureRandom; import java.util.Map; -import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -39,8 +39,6 @@ import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.BasicResponseHandler; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; -import org.apache.ofbiz.passport.user.GitHubAuthenticator; -import org.apache.ofbiz.passport.util.PassportUtil; import org.apache.ofbiz.base.conversion.ConversionException; import org.apache.ofbiz.base.conversion.JSONConverters.JSONToMap; import org.apache.ofbiz.base.crypto.HashCrypt; @@ -57,6 +55,8 @@ import org.apache.ofbiz.entity.GenericEntityException; import org.apache.ofbiz.entity.GenericValue; import org.apache.ofbiz.entity.util.EntityQuery; import org.apache.ofbiz.entity.util.EntityUtilProperties; +import org.apache.ofbiz.passport.user.GitHubAuthenticator; +import org.apache.ofbiz.passport.util.PassportUtil; import org.apache.ofbiz.product.store.ProductStoreWorker; import org.apache.ofbiz.service.LocalDispatcher; @@ -88,7 +88,7 @@ public class GitHubEvents { /** * Redirect to GitHub login page. - * @return + * @return string "success" or "error" */ public static String gitHubRedirect(HttpServletRequest request, HttpServletResponse response) { GenericValue oauth2GitHub = getOAuth2GitHubConfig(request); @@ -97,10 +97,11 @@ public class GitHubEvents { } String clientId = oauth2GitHub.getString(PassportUtil.COMMON_CLIENT_ID); String returnURI = oauth2GitHub.getString(PassportUtil.COMMON_RETURN_RUL); + SecureRandom secureRandom = new SecureRandom(); // Get user authorization code try { - String state = System.currentTimeMillis() + String.valueOf((new Random(10)).nextLong()); + String state = System.currentTimeMillis() + String.valueOf((secureRandom.nextLong())); request.getSession().setAttribute(SESSION_GITHUB_STATE, state); String redirectUrl = TOKEN_END_POINT + AUTHORIZE_URI + "?client_id=" + clientId @@ -125,7 +126,7 @@ public class GitHubEvents { /** * Parse GitHub login response and login the user if possible. - * @return + * @return string "success" or "error" */ public static String parseGitHubResponse(HttpServletRequest request, HttpServletResponse response) { String authorizationCode = request.getParameter(PassportUtil.COMMON_CODE); diff --git a/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java b/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java index 48e6f37..c9b9929 100644 --- a/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java +++ b/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java @@ -24,8 +24,8 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.URLDecoder; import java.net.URLEncoder; +import java.security.SecureRandom; import java.util.Map; -import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -40,8 +40,6 @@ import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.BasicResponseHandler; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; -import org.apache.ofbiz.passport.user.LinkedInAuthenticator; -import org.apache.ofbiz.passport.util.PassportUtil; import org.apache.ofbiz.base.conversion.ConversionException; import org.apache.ofbiz.base.conversion.JSONConverters.JSONToMap; import org.apache.ofbiz.base.crypto.HashCrypt; @@ -58,6 +56,8 @@ import org.apache.ofbiz.entity.GenericEntityException; import org.apache.ofbiz.entity.GenericValue; import org.apache.ofbiz.entity.util.EntityQuery; import org.apache.ofbiz.entity.util.EntityUtilProperties; +import org.apache.ofbiz.passport.user.LinkedInAuthenticator; +import org.apache.ofbiz.passport.util.PassportUtil; import org.apache.ofbiz.product.store.ProductStoreWorker; import org.apache.ofbiz.service.LocalDispatcher; import org.w3c.dom.Document; @@ -81,7 +81,7 @@ public class LinkedInEvents { /** * Redirect to LinkedIn login page. - * @return + * @return string "success" or "error" */ public static String linkedInRedirect(HttpServletRequest request, HttpServletResponse response) { GenericValue oauth2LinkedIn = getOAuth2LinkedInConfig(request); @@ -93,8 +93,9 @@ public class LinkedInEvents { String returnURI = oauth2LinkedIn.getString(ENV_PREFIX + PassportUtil.RETURN_URL_LABEL); // Get user authorization code + SecureRandom secureRandom = new SecureRandom(); try { - String state = System.currentTimeMillis() + String.valueOf((new Random(10)).nextLong()); + String state = System.currentTimeMillis() + String.valueOf((secureRandom.nextLong())); request.getSession().setAttribute(SESSION_LINKEDIN_STATE, state); String redirectUrl = TOKEN_END_POINT + AUTHORIZE_URI + "?client_id=" + clientId @@ -119,7 +120,7 @@ public class LinkedInEvents { /** * Parse LinkedIn login response and login the user if possible. - * @return + * @return string "success" or "error" */ public static String parseLinkedInResponse(HttpServletRequest request, HttpServletResponse response) { String authorizationCode = request.getParameter(PassportUtil.COMMON_CODE); diff --git a/pricat/src/main/java/org/apache/ofbiz/htmlreport/sample/SampleHtmlThread.java b/pricat/src/main/java/org/apache/ofbiz/htmlreport/sample/SampleHtmlThread.java index 5528e28..85f8595 100644 --- a/pricat/src/main/java/org/apache/ofbiz/htmlreport/sample/SampleHtmlThread.java +++ b/pricat/src/main/java/org/apache/ofbiz/htmlreport/sample/SampleHtmlThread.java @@ -18,17 +18,16 @@ *******************************************************************************/ package org.apache.ofbiz.htmlreport.sample; +import java.security.SecureRandom; import java.util.Arrays; import java.util.Collections; import java.util.List; -import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.UtilProperties; - import org.apache.ofbiz.htmlreport.AbstractReportThread; import org.apache.ofbiz.htmlreport.InterfaceReport; @@ -62,7 +61,7 @@ public class SampleHtmlThread extends AbstractReportThread { try { if (getName().startsWith(COUNT_DOWN)) { getReport().println(UtilProperties.getMessage(RESOURCE, "START_COUNT_DOWN", getLocale()), InterfaceReport.FORMAT_HEADLINE); - Random random = new Random(); + SecureRandom random = new SecureRandom(); int j = 0; for (int i = 1000; i > 0; i--) { sleep(20); @@ -76,7 +75,7 @@ public class SampleHtmlThread extends AbstractReportThread { getReport().println(UtilProperties.getMessage(RESOURCE, "COUNT_COMPLETED", getLocale()), InterfaceReport.FORMAT_HEADLINE); } else if (getName().startsWith(COUNT_UP)) { getReport().println(UtilProperties.getMessage(RESOURCE, "START_COUNT_UP", getLocale()), InterfaceReport.FORMAT_HEADLINE); - Random random = new Random(); + SecureRandom random = new SecureRandom(); int j = 0; for (int i = 1; i <= 1000; i++) { sleep(20);
