Random GUIDs and UUID, and Randomizer.java

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.

https://owasp.org/www-project-enterprise-security-api/

Other

610 stars 368 forks source link

Random GUIDs and UUID, and Randomizer.java #737

Open kwwall opened 2 years ago

kwwall commented 2 years ago

[Extracted from a post by @noloader to the ESAPI-Project-Users list on August 22, 2022.]

Describe the bug It looks like Randomizer.java is providing random UUIDs. The reference given is dead.[1] I went back to 2007 and the IETF returned 404's.

Nowadays I think you should use RFC 1422 and UUIDv4.[2] From Section 4.1.3 of [2]:

   Msb0  Msb1  Msb2  Msb3   Version  Description
   ...

    0     1     0     0        4     The randomly or pseudo-
                                          randomly generated version
                                          specified in this document.

[1] http://www.ietf.org/internet-drafts/draft-mealling-uuid-urn-03.txt [2] https://datatracker.ietf.org/doc/html/rfc4122

Specify what ESAPI version(s) you are experiencing this bug in ESAPI 2.5.0.

Expected behavior A random Version-4 type UUID, conformant with RFC 4122, should be produced when calling:

ESAPI.randomizer().getRandomGUID();

kwwall commented 2 years ago

Unless anyone has some objection, I propose that ESAPI's DefaultRandomizer.getRandomGUID() should just call the static method,

   UUID.randomUUID()

where the UUID class is java.util.UUID.

That returns a Type 4 UUID as defined in RFC4122. The implementation of the java.util.UUID class uses java.security.SecureRandom for that. Our use of ESAPI predates implementation of the java.uil.UUID class though, as it wasn't added until Java 5.

jeremiahjstacey commented 2 years ago

If this method was created to fill a void of the java runtime that has since been provided, then I think it's worth considering deprecating DefaultRandomizer.getRandomGUID() in favor of the java-supplied UUID method?

kwwall commented 2 years ago

Oh, I will note it as @deprecated as well.

-kevin

On Mon, Aug 22, 2022, 6:55 PM jeremiahjstacey @.***> wrote:

If this method was created to fill a void of the java runtime that has since been provided, then I think it's worth considering deprecating DefaultRandomizer.getRandomGUID() in favor of the java-supplied UUID method?

— Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/737#issuecomment-1223289982, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG2P6FY7NRTR5MIGPGDV2QANVANCNFSM57JE3RKQ . You are receiving this because you were assigned.Message ID: @.***>