Description

In internal/utils/rand.go, the random function was implemented like below:

import (
    "math/rand"
)

// RandomAlphaNum generates random alphanumeric string
// in case length <= 0 it returns empty string
func RandomAlphaNum(length int) string {
    const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

    if length <= 0 {
        return ""
    }

    randomString := make([]byte, length)
    for i := range randomString {
        randomString[i] = charset[rand.Intn(len(charset))]
    }

    return string(randomString)
}

Since the module math/rand is not recommended for security usage and we could not find the seed setting for the function, this RandomAlphaNum function does not guarantee the randomness.

Impact

This random function is not cryptographically secure.

Recommendations

We recommend using the module crypto/rand for the cryptographically secure random function.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 81dce1bc↗.