Skip to content

Commit 895f4d0

Browse files
JLLeitschuhJLLeitschuh
committed
JHipster Vuln: Add GOOD/BAD & release note links
1 parent 8272d59 commit 895f4d0

File tree

3 files changed

+8
-7
lines changed

3 files changed

+8
-7
lines changed

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ Using this information, they can create a reset link that allows them to take ov
1616

1717
<example>
1818

19-
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by JHipster.</p>
19+
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by <a href="https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html">JHipster prior to version 6.3.0</a>.</p>
2020
<sample src="JHipsterGeneratedPRNGVulnerable.java" />
2121

2222
<p>Below is a fixed version of the <code>RandomUtil</code> class.</p>

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Utility class for generating random Strings.
77
*/
88
public final class RandomUtil {
9-
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
9+
private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom
1010

1111
private static final int DEF_COUNT = 20;
1212

@@ -18,6 +18,7 @@ private RandomUtil() {
1818
}
1919

2020
private static String generateRandomAlphanumericString() {
21+
// GOOD: Passing Secure Random to RandomStringUtils::random
2122
return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
2223
}
2324

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ private RandomUtil() {
1616
* @return the generated password.
1717
*/
1818
public static String generatePassword() {
19-
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
19+
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
2020
}
2121

2222
/**
@@ -25,7 +25,7 @@ public static String generatePassword() {
2525
* @return the generated activation key.
2626
*/
2727
public static String generateActivationKey() {
28-
return RandomStringUtils.randomNumeric(DEF_COUNT);
28+
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
2929
}
3030

3131
/**
@@ -34,7 +34,7 @@ public static String generateActivationKey() {
3434
* @return the generated reset key.
3535
*/
3636
public static String generateResetKey() {
37-
return RandomStringUtils.randomNumeric(DEF_COUNT);
37+
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
3838
}
3939

4040
/**
@@ -44,7 +44,7 @@ public static String generateResetKey() {
4444
* @return the generated series data.
4545
*/
4646
public static String generateSeriesData() {
47-
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
47+
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
4848
}
4949

5050
/**
@@ -53,6 +53,6 @@ public static String generateSeriesData() {
5353
* @return the generated token data.
5454
*/
5555
public static String generateTokenData() {
56-
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
56+
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
5757
}
5858
}

0 commit comments

Comments
 (0)