Category: Coding Mistakes
Unsafe random function
Informational Severity
Informational Impact
N/A Likelihood
Description
In internal/utils/rand.go, the random function was implemented like below:
import (
"math/rand"
)
// RandomAlphaNum generates random alphanumeric string
// in case length <= 0 it returns empty string
func RandomAlphaNum(length int) string {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
if length <= 0 {
return ""
}
randomString := make([]byte, length)
for i := range randomString {
randomString[i] = charset[rand.Intn(len(charset))]
}
return string(randomString)
}
Since the module math/rand is not recommended for security usage and we could not find the seed setting for the function, this RandomAlphaNum
function does not guarantee the randomness.
Impact
This random function is not cryptographically secure.
Recommendations
We recommend using the module crypto/rand for the cryptographically secure random function.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 81dce1bc↗.