[jira] [Commented] (LANG-1750) Using RandomStringUtils.insecure() still leads to using the secure() random

Wed, 14 Aug 2024 04:00:08 -0700 


    [ 
https://issues.apache.org/jira/browse/LANG-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17873495#comment-17873495
 ] 

Gilles Sadowski commented on LANG-1750:
---------------------------------------

bq. [...] with 3.17 I will rewrite my use of RandomStringUtils to the insecure 
option (as my use is not for cryptographic purposes)

If you are settling for a rewrite, maybe you should have a look at "Commons 
RNG":
  https://commons.apache.org/proper/commons-rng/commons-rng-simple/index.html

A "bridge" will let you choose any of the 50+ PRNG  algorithms, and use it in 
calls to {{RandomStringUtils}}:
https://commons.apache.org/proper/commons-rng/commons-rng-simple/apidocs/org/apache/commons/rng/simple/JDKRandomBridge.html

IMHO, this decoupling helps guarding against the kind of surprise that has just 
happened.

> Using RandomStringUtils.insecure() still leads to using the secure() random
> ---------------------------------------------------------------------------
>
>                 Key: LANG-1750
>                 URL: https://issues.apache.org/jira/browse/LANG-1750
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.16.0
>            Reporter: Marco Hoek
>            Assignee: Gary D. Gregory
>            Priority: Major
>             Fix For: 3.17.0
>
>
> In RandomStringUtils v3.16, the use of secure() vs insecure() is used to be 
> able to choose which random generator to use. However, consider the following 
> code path:
>  
> a) RandomStringUtils.insecure().nextAlphanumeric(length)
> leads to the instance method 'nextAlphanumeric, which in turn calls:
> b) static method RandomStringUtils.random(count, true, true)
> which in turn calls
> c) static method RandomStringUtils.secure().next(count, letters, numbers)
>  
> Conclusion: where I want to use the "insecure" option path, I end up having 
> the call forwarded to the "secure" random provider anyway. Where I then run 
> into the problem of having too low entropy and experiencing terrible 
> performance.... (see LANG-1748)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to