esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

Random GUIDs and UUID, and Randomizer.java

Open kwwall opened this issue 2 years ago • 3 comments

[Extracted from a post by @noloader to the ESAPI-Project-Users list on August 22, 2022.]

Describe the bug It looks like Randomizer.java is providing random UUIDs. The reference given is dead.[1] I went back to 2007 and the IETF returned 404's.

Nowadays I think you should use RFC 1422 and UUIDv4.[2] From Section 4.1.3 of [2]:

   Msb0  Msb1  Msb2  Msb3   Version  Description
   ...

    0     1     0     0        4     The randomly or pseudo-
                                          randomly generated version
                                          specified in this document.

[1] http://www.ietf.org/internet-drafts/draft-mealling-uuid-urn-03.txt [2] https://datatracker.ietf.org/doc/html/rfc4122

Specify what ESAPI version(s) you are experiencing this bug in ESAPI 2.5.0.

Expected behavior A random Version-4 type UUID, conformant with RFC 4122, should be produced when calling:

ESAPI.randomizer().getRandomGUID();

kwwall avatar Aug 22 '22 21:08 kwwall

Unless anyone has some objection, I propose that ESAPI's DefaultRandomizer.getRandomGUID() should just call the static method,

   UUID.randomUUID()

where the UUID class is java.util.UUID.

That returns a Type 4 UUID as defined in RFC4122. The implementation of the java.util.UUID class uses java.security.SecureRandom for that. Our use of ESAPI predates implementation of the java.uil.UUID class though, as it wasn't added until Java 5.

kwwall avatar Aug 22 '22 21:08 kwwall

If this method was created to fill a void of the java runtime that has since been provided, then I think it's worth considering deprecating DefaultRandomizer.getRandomGUID() in favor of the java-supplied UUID method?

jeremiahjstacey avatar Aug 22 '22 22:08 jeremiahjstacey

Oh, I will note it as @deprecated as well.

-kevin

On Mon, Aug 22, 2022, 6:55 PM jeremiahjstacey @.***> wrote:

If this method was created to fill a void of the java runtime that has since been provided, then I think it's worth considering deprecating DefaultRandomizer.getRandomGUID() in favor of the java-supplied UUID method?

— Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/737#issuecomment-1223289982, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG2P6FY7NRTR5MIGPGDV2QANVANCNFSM57JE3RKQ . You are receiving this because you were assigned.Message ID: @.***>

kwwall avatar Aug 22 '22 23:08 kwwall