Replace use of predictable random generator

EarthSystemCoG / COG

COG source code

BSD 3-Clause "New" or "Revised" License

8 stars 16 forks source link

Replace use of predictable random generator #1325

Closed LucaCinquini closed 7 years ago

LucaCinquini commented 7 years ago

Who: NOAA security scan

The CoG plugin for downloading files through Globus uses the function "randint()" to create the path of a temporary file. This has been flagged as insecure because:

"Standard pseudo-random number generators cannot withstand cryptographic attacks."

Must replace with a cryptographically-secure algorithm.

LucaCinquini commented 7 years ago

Done, now using "SystemRandom().randint()".

murphysj commented 7 years ago

This code must be outside of the cog source code. My search did not find it...?

murphysj commented 7 years ago

actually the code is: cryptogen = SystemRandom() found it.