search

jpmorganchase / QOKit

QOKit
https://www.jpmorgan.com/technology/applied-research
Apache License 2.0
51 stars 23 forks source link

Secure Source of Randomness #75

Closed pixeeai closed 1 month ago

pixeeai commented 1 month ago

This codemod replaces all instances of functions in the random module (e.g. random.random() with their, much more secure, equivalents from the secrets module (e.g. secrets.SystemRandom().random()).

There is significant algorithmic complexity in getting computers to generate genuinely unguessable random bits. The random.random() function uses a method of pseudo-random number generation that unfortunately emits fairly predictable numbers.

If the numbers it emits are predictable, then it's obviously not safe to use in cryptographic operations, file name creation, token construction, password generation, and anything else that's related to security. In fact, it may affect security even if it's not directly obvious.

Switching to a more secure version is simple and the changes look something like this:

- import random
+ import secrets
  ...
- random.random()
+ secrets.SystemRandom().random()
More reading * [https://owasp.org/www-community/vulnerabilities/Insecure_Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness) * [https://docs.python.org/3/library/random.html](https://docs.python.org/3/library/random.html)

I have additional improvements ready for this repo! If you want to see them, install our plugin (Github Marketplace download) & leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/secure-random