[ofbiz-plugins] branch trunk updated: Improved: Improve use of RandomStringUtils where it's potentially used in an insecure way (OFBIZ-12854)

jleroux Tue, 12 Sep 2023 02:31:31 -0700

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git



The following commit(s) were added to refs/heads/trunk by this push:
     new 598ccb64c Improved: Improve use of RandomStringUtils where it's 
potentially used in an insecure way (OFBIZ-12854)
598ccb64c is described below

commit 598ccb64cd89b1a62fcf6b5fcda23ab961c6581d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Sep 12 11:15:32 2023 +0200

    Improved: Improve use of RandomStringUtils where it's potentially used in 
an insecure way (OFBIZ-12854)
    
    This is related to CWE-338 and CVE-2019-16303 that don't concern OFBiz.
    
    Actually the password generated by the passport component is not more 
insecure
    than the ofbiz password used OOTB in many places. But it's somehow hidden
    (automated generation) and it's easy to randomise it better, still using 
only
    alphanumeric chars as currently.
    
    There are other uses of RandomStringUtils but they don't relate to passwords
    generation and are safely used.
    
    Thanks: Alessandro Albani who reported globally for all ASF projects
---
 .../src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java | 6 ++++--
 .../main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java   | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git 
a/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java 
b/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java
index 05c77f237..05fe18041 100644
--- a/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java
+++ b/passport/src/main/java/org/apache/ofbiz/passport/event/GitHubEvents.java
@@ -77,6 +77,7 @@ public class GitHubEvents {
     private static final String SESSION_GITHUB_STATE = "_GITHUB_STATE_";
 
     private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+    private static final String ALPHANUMERIC = 
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
 
     public static final String ENV_PREFIX = 
UtilProperties.getPropertyValue(GitHubAuthenticator.PROPS, "github.env.prefix", 
"test");
 
@@ -275,8 +276,9 @@ public class GitHubEvents {
                 String userLoginId = authn.createUser(userInfo);
                 userLogin = 
EntityQuery.use(delegator).from("UserLogin").where("userLoginId", 
userLoginId).queryOne();
             }
-            String autoPassword = 
RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security",
-                    "password.length.min", 5));
+            String autoPassword = RandomStringUtils.random(
+                    EntityUtilProperties.getPropertyAsInteger("security", 
"password.length.min", 5), 0, 0, true, true,
+                    ALPHANUMERIC.toCharArray(), SECURE_RANDOM);
             boolean useEncryption = 
"true".equals(UtilProperties.getPropertyValue("security", "password.encrypt"));
             userLogin.set("currentPassword", useEncryption ? 
HashCrypt.digestHash(LoginServices.getHashType(), null, autoPassword) : 
autoPassword);
             userLogin.store();
diff --git 
a/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java 
b/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java
index 923f7fa45..2b49b7cb2 100644
--- a/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java
+++ b/passport/src/main/java/org/apache/ofbiz/passport/event/LinkedInEvents.java
@@ -80,6 +80,7 @@ public class LinkedInEvents {
     public static final String ENV_PREFIX = 
UtilProperties.getPropertyValue(LinkedInAuthenticator.getPROPS(), 
"linkedin.env.prefix", "test");
 
     private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+    private static final String ALPHANUMERIC = 
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
 
     /**
      * Redirect to LinkedIn login page.
@@ -266,8 +267,9 @@ public class LinkedInEvents {
                 String userLoginId = authn.createUser(userInfo);
                 userLogin = 
EntityQuery.use(delegator).from("UserLogin").where("userLoginId", 
userLoginId).queryOne();
             }
-            String autoPassword = 
RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security",
-                    "password.length.min", 5));
+            String autoPassword = RandomStringUtils.random(
+                    EntityUtilProperties.getPropertyAsInteger("security", 
"password.length.min", 5), 0, 0, true, true,
+                    ALPHANUMERIC.toCharArray(), SECURE_RANDOM);
             boolean useEncryption = 
"true".equals(UtilProperties.getPropertyValue("security", "password.encrypt"));
             userLogin.set("currentPassword", useEncryption ? 
HashCrypt.digestHash(LoginServices.getHashType(), null, autoPassword) : 
autoPassword);
             userLogin.store();

[ofbiz-plugins] branch trunk updated: Improved: Improve use of RandomStringUtils where it's potentially used in an insecure way (OFBIZ-12854)

Reply via email to