From 75c6a0f6d96955ff2f98c22aee1ce50c74cc52ea Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Sep 2020 03:09:21 -0400
Subject: [PATCH] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in
 RandomUtil

This fixes a security vulnerability in this project where the `RandomUtil.java`
file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of
a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for
security sensitive data.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
---
 .../alchemy/service/util/RandomUtil.java        | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/alchemy-web/src/main/java/com/dfire/platform/alchemy/service/util/RandomUtil.java b/alchemy-web/src/main/java/com/dfire/platform/alchemy/service/util/RandomUtil.java
index 4cdb0946..88739d41 100644
--- a/alchemy-web/src/main/java/com/dfire/platform/alchemy/service/util/RandomUtil.java
+++ b/alchemy-web/src/main/java/com/dfire/platform/alchemy/service/util/RandomUtil.java
@@ -2,23 +2,34 @@
 
 import org.apache.commons.lang3.RandomStringUtils;
 
+import java.security.SecureRandom;
+
 /**
  * Utility class for generating random Strings.
  */
 public final class RandomUtil {
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
 
     private static final int DEF_COUNT = 20;
 
+    static {
+        SECURE_RANDOM.nextBytes(new byte[64]);
+    }
+
     private RandomUtil() {
     }
 
+    private static String generateRandomAlphanumericString() {
+        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
+    }
+
     /**
      * Generate a password.
      *
      * @return the generated password.
      */
     public static String generatePassword() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -27,7 +38,7 @@ public static String generatePassword() {
      * @return the generated activation key.
      */
     public static String generateActivationKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -36,6 +47,6 @@ public static String generateActivationKey() {
      * @return the generated reset key.
      */
     public static String generateResetKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 }