hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

JHipster Vuln: Add GOOD/BAD & release note links

Browse Source
This commit is contained in:
Jonathan Leitschuh
2020-10-12 11:00:05 -04:00
parent 8272d591b6
commit 895f4d0ea6
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp
View File

@@ -16,7 +16,7 @@ Using this information, they can create a reset link that allows them to take ov
<example>
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by JHipster.</p>
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by <a href="https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html">JHipster prior to version 6.3.0</a>.</p>
<sample src="JHipsterGeneratedPRNGVulnerable.java" />
<p>Below is a fixed version of the <code>RandomUtil</code> class.</p>

3
java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java
View File

@@ -6,7 +6,7 @@ import java.security.SecureRandom;
* Utility class for generating random Strings.
*/
public final class RandomUtil {
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom
private static final int DEF_COUNT = 20;
@@ -18,6 +18,7 @@ public final class RandomUtil {
}
private static String generateRandomAlphanumericString() {
// GOOD: Passing Secure Random to RandomStringUtils::random
return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
}

10
java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java
View File

@@ -16,7 +16,7 @@ public final class RandomUtil {
* @return the generated password.
*/
public static String generatePassword() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
}
/**
@@ -25,7 +25,7 @@ public final class RandomUtil {
* @return the generated activation key.
*/
public static String generateActivationKey() {
return RandomStringUtils.randomNumeric(DEF_COUNT);
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
}
/**
@@ -34,7 +34,7 @@ public final class RandomUtil {
* @return the generated reset key.
*/
public static String generateResetKey() {
return RandomStringUtils.randomNumeric(DEF_COUNT);
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
}
/**
@@ -44,7 +44,7 @@ public final class RandomUtil {
* @return the generated series data.
*/
public static String generateSeriesData() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
}
/**
@@ -53,6 +53,6 @@ public final class RandomUtil {
* @return the generated token data.
*/
public static String generateTokenData() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
}
}