From e5aa3932a335ea952731d5e2cdf87bd2b91ae1a5 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Thu, 17 Sep 2020 23:51:46 -0400
Subject: [PATCH] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in
 RandomUtil

This fixes a security vulnerability in this project where the `RandomUtil.java`
file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of
a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for
security sensitive data.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
---
 .../com/nudgun/service/util/RandomUtil.java     | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/nudgun/service/util/RandomUtil.java b/src/main/java/com/nudgun/service/util/RandomUtil.java
index 420b92a..c19c02c 100644
--- a/src/main/java/com/nudgun/service/util/RandomUtil.java
+++ b/src/main/java/com/nudgun/service/util/RandomUtil.java
@@ -2,23 +2,34 @@
 
 import org.apache.commons.lang3.RandomStringUtils;
 
+import java.security.SecureRandom;
+
 /**
  * Utility class for generating random Strings.
  */
 public final class RandomUtil {
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
 
     private static final int DEF_COUNT = 20;
 
+    static {
+        SECURE_RANDOM.nextBytes(new byte[64]);
+    }
+
     private RandomUtil() {
     }
 
+    private static String generateRandomAlphanumericString() {
+        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
+    }
+
     /**
      * Generate a password.
      *
      * @return the generated password
      */
     public static String generatePassword() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -27,7 +38,7 @@ public static String generatePassword() {
      * @return the generated activation key
      */
     public static String generateActivationKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -36,6 +47,6 @@ public static String generateActivationKey() {
      * @return the generated reset key
      */
     public static String generateResetKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 }