Prefer SecureRandom over Random
ID: java-security/avoid-random
Language: Java
Severity: Notice
Category: Security
CWE: 330
Description
Functions as Math.random()
and objects like java.util.Random()
do not provide strong enough randomness. Consider using java.security.SecureRandom()
instead.
Non-Compliant Code Examples
@RestController
public class ImageServlet {
public static final int PINCODE = new java.util.Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
byte[] in = getBytes();
String pincode = String.format("%04d", PINCODE);
in[81216] = (byte) pincode.charAt(0);
in[81217] = (byte) pincode.charAt(1);
in[81218] = (byte) pincode.charAt(2);
in[81219] = (byte) pincode.charAt(3);
return in;
}
}
@RestController
public class ImageServlet {
public static final int PINCODE = new Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
byte[] in = getBytes();
String pincode = String.format("%04d", PINCODE);
in[81216] = (byte) pincode.charAt(0);
in[81217] = (byte) pincode.charAt(1);
in[81218] = (byte) pincode.charAt(2);
in[81219] = (byte) pincode.charAt(3);
return in;
}
}
@RestController
public class ImageServlet {
public static final int PINCODE = new Random().nextInt(10000);
@RequestMapping(
method = {GET, POST},
value = "/challenge/logo",
produces = MediaType.IMAGE_PNG_VALUE)
@ResponseBody
public byte[] logo() throws IOException {
var v = Math.random();
}
}
Compliant Code Examples
import org.apache.commons.codec.binary.Hex;
class Class {
String generateSecretToken() {
SecureRandom secRandom = new SecureRandom();
byte[] result = new byte[32];
secRandom.nextBytes(result);
return Hex.encodeHexString(result);
}
}