Skip to content

Commit

Permalink
Introduced protections against predictable RNG abuse (#3)
Browse files Browse the repository at this point in the history
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
  • Loading branch information
pixeebot[bot] authored Nov 30, 2024
1 parent 403170c commit 8fbe04b
Show file tree
Hide file tree
Showing 16 changed files with 37 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import com.alibaba.nacos.client.utils.LogUtils;
import com.alibaba.nacos.common.http.client.NacosRestTemplate;
import com.alibaba.nacos.common.utils.StringUtils;
import java.security.SecureRandom;
import org.slf4j.Logger;

import java.util.ArrayList;
Expand Down Expand Up @@ -162,7 +163,7 @@ private static class ServerAddressIterator implements Iterator<String> {

static class RandomizedServerAddress implements Comparable<RandomizedServerAddress> {

static Random random = new Random();
static Random random = new SecureRandom();

String serverIp;

Expand Down Expand Up @@ -205,4 +206,4 @@ public String next() {
return iter.next().serverIp;
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import com.alibaba.nacos.client.utils.LogUtils;
import com.alibaba.nacos.common.JustForTest;
import com.alibaba.nacos.common.http.client.NacosRestTemplate;
import java.security.SecureRandom;
import org.slf4j.Logger;

import java.util.List;
Expand Down Expand Up @@ -63,7 +64,7 @@ public void start() throws NacosException {
if (serverList.isEmpty()) {
throw new NacosLoadException("serverList is empty,please check configuration");
} else {
currentIndex.set(new Random().nextInt(serverList.size()));
currentIndex.set(new SecureRandom().nextInt(serverList.size()));
}
if (serverListProvider instanceof PropertiesListProvider) {
if (serverList.size() == 1) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
import com.alibaba.nacos.common.utils.StringUtils;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.JsonNode;
import java.security.SecureRandom;
import org.apache.http.HttpStatus;

import java.util.Collections;
Expand Down Expand Up @@ -371,7 +372,7 @@ public String reqApi(String api, Map<String, String> params, Map<String, String>
}
}
} else {
Random random = new Random();
Random random = new SecureRandom();
int index = random.nextInt(servers.size());

for (int i = 0; i < servers.size(); i++) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import com.alibaba.nacos.api.naming.pojo.Instance;
import com.alibaba.nacos.api.naming.pojo.builder.InstanceBuilder;
import java.security.SecureRandom;
import org.junit.jupiter.api.Test;

import java.util.ArrayList;
Expand Down Expand Up @@ -62,7 +63,7 @@ public void testGetDiff() {

@Test
public void testWithFullConstructor() {
Random random = new Random();
Random random = new SecureRandom();
int addedCount = random.nextInt(32) + 1;
int removedCount = random.nextInt(32) + 1;
int modifiedCount = random.nextInt(32) + 1;
Expand All @@ -88,7 +89,7 @@ public void testWithFullConstructor() {

@Test
public void testWithNoConstructor() {
Random random = new Random();
Random random = new SecureRandom();
int addedCount = random.nextInt(32) + 1;
int removedCount = random.nextInt(32) + 1;
int modifiedCount = random.nextInt(32) + 1;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import com.alibaba.nacos.api.naming.pojo.Instance;
import com.alibaba.nacos.api.naming.selector.NamingContext;
import com.alibaba.nacos.api.naming.selector.NamingResult;
import java.security.SecureRandom;
import org.junit.jupiter.api.Test;

import java.util.ArrayList;
Expand All @@ -35,7 +36,7 @@ public class DefaultNamingSelectorTest {
@Test
public void testSelect() {
DefaultNamingSelector namingSelector = new DefaultNamingSelector(Instance::isHealthy);
Random random = new Random();
Random random = new SecureRandom();
int total = random.nextInt(32) + 1;
int health = random.nextInt(total);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package com.alibaba.nacos.client.selector;

import com.alibaba.nacos.client.naming.selector.NamingSelectorWrapper;
import java.security.SecureRandom;
import org.junit.jupiter.api.Test;

import java.util.ArrayList;
Expand Down Expand Up @@ -68,7 +69,7 @@ public void testSubInfo() {
private static String generateRandomString(int minLength, int maxLength) {
String characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

Random random = new Random();
Random random = new SecureRandom();
int length = random.nextInt(maxLength - minLength + 1) + minLength;
StringBuilder sb = new StringBuilder();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
import com.alibaba.nacos.common.utils.LoggerUtils;
import com.alibaba.nacos.common.utils.NumberUtils;
import com.alibaba.nacos.common.utils.StringUtils;
import java.security.SecureRandom;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -437,7 +438,7 @@ private boolean healthCheck() {
return false;
}
int reTryTimes = rpcClientConfig.healthCheckRetryTimes();
Random random = new Random();
Random random = new SecureRandom();
while (reTryTimes >= 0) {
reTryTimes--;
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.alibaba.nacos.common.utils;

import java.security.SecureRandom;
import java.util.Random;

/**
Expand All @@ -31,7 +32,7 @@ private RandomUtils() {
/**
* Random Object for random method.
*/
private static final Random RANDOM = new Random();
private static final Random RANDOM = new SecureRandom();

/**
* Returns a random long within the specified range.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import com.alibaba.nacos.common.remote.ConnectionType;
import com.alibaba.nacos.common.remote.client.grpc.DefaultGrpcClientConfig;
import com.alibaba.nacos.common.remote.client.grpc.GrpcConnection;
import java.security.SecureRandom;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
Expand Down Expand Up @@ -575,7 +576,7 @@ public Connection connectToServer(ServerInfo serverInfo) {

@Test
void testHealthCheck() throws IllegalAccessException, NacosException {
Random random = new Random();
Random random = new SecureRandom();
int retry = random.nextInt(10);
when(rpcClientConfig.healthCheckRetryTimes()).thenReturn(retry);
rpcClient.rpcClientStatus.set(RpcClientStatus.RUNNING);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.alibaba.nacos.common.utils;

import java.security.SecureRandom;
import org.junit.jupiter.api.Test;

import java.util.ConcurrentModificationException;
Expand Down Expand Up @@ -183,7 +184,7 @@ public AddDataThread(Set<Integer> hashSet) {

@Override
protected void process() {
int random = new Random().nextInt(1000);
int random = new SecureRandom().nextInt(1000);
hashSet.add(random);
}

Expand All @@ -198,7 +199,7 @@ public DeleteDataThread(Set<Integer> hashSet) {

@Override
protected void process() {
int random = new Random().nextInt(1000);
int random = new SecureRandom().nextInt(1000);
hashSet.remove(random);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import com.alibaba.nacos.plugin.control.ControlManagerCenter;
import com.alibaba.nacos.plugin.control.connection.request.ConnectionCheckRequest;
import com.alibaba.nacos.plugin.control.connection.response.ConnectionCheckResponse;
import java.security.SecureRandom;
import org.springframework.stereotype.Service;

import javax.servlet.AsyncContext;
Expand Down Expand Up @@ -197,7 +198,7 @@ public void addLongPollingClient(HttpServletRequest req, HttpServletResponse rsp
if (!connectionCheckResponse.isSuccess()) {
RpcScheduledExecutor.CONTROL_SCHEDULER.schedule(
() -> generate503Response(asyncContext, rsp, connectionCheckResponse.getMessage()),
1000L + new Random().nextInt(2000), TimeUnit.MILLISECONDS);
1000L + new SecureRandom().nextInt(2000), TimeUnit.MILLISECONDS);
return;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
import com.alibaba.nacos.persistence.datasource.DynamicDataSource;
import com.alibaba.nacos.sys.env.EnvUtil;
import com.alibaba.nacos.sys.utils.TimerContext;
import java.security.SecureRandom;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -229,7 +230,7 @@ protected void dumpOperate() throws NacosException {
}
if (!EnvUtil.getStandaloneMode()) {

Random random = new Random();
Random random = new SecureRandom();
long initialDelay = random.nextInt(INITIAL_DELAY_IN_MINUTE) + 10;
LogUtil.DEFAULT_LOG.warn("initialDelay:{}", initialDelay);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@
import com.alipay.sofa.jraft.util.BytesUtil;
import com.alipay.sofa.jraft.util.Endpoint;
import com.google.protobuf.Message;
import java.security.SecureRandom;
import org.springframework.util.CollectionUtils;

import java.nio.ByteBuffer;
Expand Down Expand Up @@ -264,7 +265,7 @@ synchronized void createMultiRaftGroup(Collection<RequestProcessor4CP> processor
RaftExecutor.executeByCommon(() -> registerSelfToCluster(groupName, localPeerId, configuration));

// Turn on the leader auto refresh for this group
Random random = new Random();
Random random = new SecureRandom();
long period = nodeOptions.getElectionTimeoutMs() + random.nextInt(5 * 1000);
RaftExecutor.scheduleRaftMemberRefreshJob(() -> refreshRouteTable(groupName),
nodeOptions.getElectionTimeoutMs(), period, TimeUnit.MILLISECONDS);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import com.alibaba.nacos.sys.env.EnvUtil;
import com.alibaba.nacos.sys.utils.ApplicationUtils;
import java.security.SecureRandom;
import org.apache.commons.io.FileUtils;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
Expand All @@ -41,7 +42,7 @@
*/
class SystemUtilsTest {

private static final Random RANDOM = new Random();
private static final Random RANDOM = new SecureRandom();

private static boolean standaloneMode = RANDOM.nextBoolean();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import com.alibaba.nacos.test.base.HttpClient4Test;
import com.alibaba.nacos.test.base.Params;
import com.fasterxml.jackson.databind.JsonNode;
import java.security.SecureRandom;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
Expand Down Expand Up @@ -88,7 +89,7 @@ static void cleanClientCache() throws Exception {
*/
public static String randomContent() {
StringBuilder sb = new StringBuilder();
Random rand = new Random();
Random rand = new SecureRandom();
int temp = rand.nextInt(10) + 1;
sb.append("contentTest");
for (int i = 0; i < temp; i++) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.alibaba.nacos.test.naming;

import java.security.SecureRandom;
import java.util.Collection;
import java.util.HashSet;
import java.util.Random;
Expand All @@ -32,7 +33,7 @@ public class RandomUtils {

private static final String STRING_POOL = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

private static Random rd = new Random();
private static Random rd = new SecureRandom();

private static int UNICODE_START = 19968;

Expand Down Expand Up @@ -143,7 +144,7 @@ public static String getStringWithNumAndCha(int n) {

public static String getRandomString(int length) {
StringBuilder sb = new StringBuilder();
Random random = new Random();
Random random = new SecureRandom();
int range = STRING_POOL.length();

for (int i = 0; i < length; ++i) {
Expand Down Expand Up @@ -281,7 +282,7 @@ public static int[] getRandomArray(int min, int max, int n) {
}

int[] result = new int[n];
Random rd = new Random();
Random rd = new SecureRandom();

for (int i = 0; i < result.length; ++i) {
int index = Math.abs(rd.nextInt() % len--);
Expand Down

0 comments on commit 8fbe04b

Please sign in to comment.