mirror of
https://github.com/github/codeql.git
synced 2025-12-20 10:46:30 +01:00
62 lines
2.1 KiB
Java
62 lines
2.1 KiB
Java
// Semmle test case for CWE-335: Use of a predictable seed in a secure random number generator
|
|
// http://cwe.mitre.org/data/definitions/335.html
|
|
package test.cwe335.semmle.tests;
|
|
|
|
import java.util.Random;
|
|
import java.security.SecureRandom;
|
|
import java.math.BigInteger;
|
|
|
|
class Test {
|
|
public void test() {
|
|
long time1 = System.currentTimeMillis();
|
|
long time2 = System.nanoTime();
|
|
|
|
// GOOD: We only care about SecureRandom generators.
|
|
Random r = new Random(time1);
|
|
r.nextInt();
|
|
|
|
// GOOD: SecureRandom initialized with random seed.
|
|
SecureRandom r1 = new SecureRandom();
|
|
byte[] random_seed = new BigInteger(Long.toString(r1.nextLong())).toByteArray();
|
|
SecureRandom r2 = new SecureRandom(random_seed);
|
|
r2.nextInt();
|
|
|
|
// BAD: SecureRandom initialized with times.
|
|
SecureRandom r_time1 = new SecureRandom(new BigInteger(Long.toString(time1)).toByteArray());
|
|
// BAD: SecureRandom initialized with times.
|
|
SecureRandom r_time2 = new SecureRandom(new BigInteger(Long.toString(time2)).toByteArray());
|
|
r_time1.nextInt(); r_time2.nextInt();
|
|
|
|
// BAD: SecureRandom initialized with constant value.
|
|
SecureRandom r_const = new SecureRandom(new BigInteger(Long.toString(12345L)).toByteArray());
|
|
r_const.nextInt();
|
|
|
|
// BAD: SecureRandom's seed set to constant with setSeed.
|
|
SecureRandom r_const_set = new SecureRandom();
|
|
r_const_set.setSeed(12345L);
|
|
r_const_set.nextInt();
|
|
|
|
// GOOD: SecureRandom self seeded and then seed is supplemented.
|
|
SecureRandom r_selfseed = new SecureRandom();
|
|
r_selfseed.nextInt();
|
|
r_selfseed.setSeed(12345L);
|
|
r_selfseed.nextInt();
|
|
|
|
// GOOD: SecureRandom seed set to something random.
|
|
SecureRandom r_random_set = new SecureRandom();
|
|
r_random_set.setSeed(random_seed);
|
|
r_random_set.nextInt();
|
|
|
|
// GOOD: SecureRandom seeded with a bad seed but then seed is supplemented.
|
|
SecureRandom r_suplseed = new SecureRandom();
|
|
r_suplseed.setSeed(12345L);
|
|
r_suplseed.setSeed(random_seed);
|
|
r_suplseed.nextInt();
|
|
|
|
// GOOD: SecureRandom seeded with composite seed that is partially random.
|
|
SecureRandom r_composite = new SecureRandom();
|
|
r_composite.setSeed(0L + r1.nextLong());
|
|
r_composite.nextInt();
|
|
}
|
|
}
|