Bug bounty for solving security issue - thank you @atomfrede

[jdubois]

This is linked to #10401

As discussed in the security advisory (not public yet), we put a $300 bug bounty for who was solving the issue (so $500 for reporting the issue, and $300 for solving it!).

@atomfrede you seem to have done the fix, so I'm assigning this to you, and adding the bounty here so we follow our usual process.

[atomfrede]

Bounty claimed https://opencollective.com/generator-jhipster/expenses/10062 Thanks @jdubois for putting the bounty! It was great to work with everyone keeping calm on that issue!

[jdubois]

Yes that was awesome to work together on this!

[pascalgrimaud]

@atomfrede : can we close this ticket ?

[atomfrede]

Yes

[tibistibi]

Thanks for solving this problem!

in the upgrade it states:

How to fix the issue you probably don’t need to upgrade JHipster, as this just affects a few generated files, so this can be done manually. The issue is in the generated RandomUtil class. Here is this class in our sample application generated with JHipster v6.2.0 and here is the updated version, using JHipster v6.3.0. So all you need to do is copy the new file, which uses SecureRandom, and replace the older file.

Which is not totally true because these methods has been removed:

/**
 * Generate a unique series to validate a persistent token, used in the
 * authentication remember-me mechanism.
 *
 * @return the generated series data.
 */
public static String generateSeriesData() {
    return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
}
/**
 * Generate a persistent token, used in the authentication remember-me mechanism.
 *
 * @return the generated token data.
 */
public static String generateTokenData() {
    return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
}

should they be added with:

    return generateRandomAlphanumericString();

[jdubois]

@tibistibi the methods signatures of RandomUtil should be the same, what is inside those methods did change

[tibistibi]

yes clear! maybe good to add the information to the upgrade page?

[tibistibi]

so for me i could fix it by replacing the RandomUtil file and add this:

/**
 * Generate a unique series to validate a persistent token, used in the
 * authentication remember-me mechanism.
 *
 * @return the generated series data.
 */
public static String generateSeriesData() {
    return generateRandomAlphanumericString();
}
/**
 * Generate a persistent token, used in the authentication remember-me mechanism.
 *
 * @return the generated token data.
 */
public static String generateTokenData() {
    return generateRandomAlphanumericString();
}

[ruddell]

@tibistibi RandomUtil depends on your auth type, Session auth has some extra methods. I couldn't find sample apps for Session or UAA, so you can see the various options here: https://github.com/ruddell/jhipster-examples/tree/cve-random-util-fixes