New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use crypto/rand instead of math/rand #20
Comments
|
(I'll also gladly provide a PR to address this, but wanted to get buy in/explain it first!) |
|
@elithrar Thanks for pointing this out. Please feel free to open a PR. https://github.com/gorilla/csrf looks really nice. I would prefer to repurpose it and put a credit in the |
|
OK, great. To clarify, I plan on:
I'd strongly recommend that you import gorilla/csrf—which has a strict API stability guarantee, but would also be vendored by downstream users—rather than copying the code into your library so that any security patches or feature additions are kept in-sync. Ultimately that's up to you though. |
Issue: dinever#20 Uses crypto/rand instead of math/rand for XSRF token generation, as @elithrar suggested. In that issue it was also suggested that we either use gorilla/csrf or repurpose it for Golf, so this PR may not close the issue.
randomBytesin xsrf.go usesmath.randto generate CSRF tokens. This is unsafe/insecure, and because it is seeded withtime.UnixNano, generates predictable results that would allow an attacker to bypass CSRF protection.sessionIDin session.go correctly usescrypto/randto generate a session ID. You should split this code out and re-use it for both session ID generation and CSRF token generation.(You're also welcome to import or repurpose https://github.com/gorilla/csrf for this as well, which has some additional mitigations against CSRF bypass)
The text was updated successfully, but these errors were encountered: