Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix insecure random number generation #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thirdeyenation wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix insecure random number generation #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-24 - [Insecure Random Number Generation]
**Vulnerability:** Weak random number generation using `random.choices` for passwords and unique identifiers (e.g. root SSH password, user IDs, session IDs).
**Learning:** `random.choices` is not cryptographically secure and predictable. It should never be used for security-sensitive operations.
**Prevention:** Always use the `secrets` module (e.g. `secrets.choice`) for generating cryptographic or security-sensitive identifiers.
4 changes: 2 additions & 2 deletions agent.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import asyncio, random, string, threading
import asyncio, random, string, threading, secrets

from collections import OrderedDict
from dataclasses import dataclass, field
Expand Down Expand Up @@ -135,7 +135,7 @@ def all():
@staticmethod
def generate_id():
def generate_short_id():
return "".join(random.choices(string.ascii_letters + string.digits, k=8))
return "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(8))

while True:
short_id = generate_short_id()
Expand Down
4 changes: 2 additions & 2 deletions helpers/guids.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import random, string
import random, string, secrets

def generate_id(length: int = 8) -> str:
return "".join(random.choices(string.ascii_letters + string.digits, k=length))
return "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(length))
3 changes: 2 additions & 1 deletion prepare.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from helpers import dotenv, runtime, settings
import string
import random
import secrets
import sys
from helpers.print_style import PrintStyle

Expand Down Expand Up @@ -33,7 +34,7 @@ def _retire_legacy_collabora_runtime() -> None:
# generate random root password if not set (for SSH)
root_pass = dotenv.get_dotenv_value(dotenv.KEY_ROOT_PASSWORD)
if not root_pass:
root_pass = "".join(random.choices(string.ascii_letters + string.digits, k=32))
root_pass = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(32))
PrintStyle.standard("Changing root password...")
settings.set_root_password(root_pass)

Expand Down