Prefer SecureRandom over Random
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: java-security/avoid-random
Language: Java
Severity: Notice
Category: Security
CWE: 330
Description
Functions as Math.random()
and objects like java.util.Random()
do not provide strong enough randomness. Consider using java.security.SecureRandom()
instead.
Non-Compliant Code Examples
@RestController
public class ImageServlet {
public static final int PINCODE = new java.util.Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
byte[] in = getBytes();
String pincode = String.format("%04d", PINCODE);
in[81216] = (byte) pincode.charAt(0);
in[81217] = (byte) pincode.charAt(1);
in[81218] = (byte) pincode.charAt(2);
in[81219] = (byte) pincode.charAt(3);
return in;
}
}
@RestController
public class ImageServlet {
public static final int PINCODE = new Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
byte[] in = getBytes();
String pincode = String.format("%04d", PINCODE);
in[81216] = (byte) pincode.charAt(0);
in[81217] = (byte) pincode.charAt(1);
in[81218] = (byte) pincode.charAt(2);
in[81219] = (byte) pincode.charAt(3);
return in;
}
}
@RestController
public class ImageServlet {
public static final int PINCODE = new Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
var v = Math.random();
}
}
Compliant Code Examples
import org.apache.commons.codec.binary.Hex;
class Class {
String generateSecretToken() {
SecureRandom secRandom = new SecureRandom();
byte[] result = new byte[32];
secRandom.nextBytes(result);
return Hex.encodeHexString(result);
}
}