Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sec): randomString bias #2492

Merged
merged 6 commits into from
Jul 22, 2023
Merged

fix(sec): randomString bias #2492

merged 6 commits into from
Jul 22, 2023

Conversation

trim21
Copy link
Contributor

@trim21 trim21 commented Jul 21, 2023

security issue added by #2490

len("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")==52, and 256 = 52 * 4 + 48, so the possibility of each characters generated by randomString is not equal.

A-Za-v: 5/256
wxyz: 4/256

also perfermance improve, in newer (>=1.19) go version, rand.Reader is not buffered any more, so it's suggested to wrap rand.Reader with bufio if the data read from reader is small.

https://tip.golang.org/doc/go1.19#:~:text=Read%20no%20longer%20buffers%20random%20data%20obtained%20from%20the%20operating%20system%20between%20calls

@@ -55,17 +57,38 @@ func matchSubdomain(domain, pattern string) bool {
return false
}

// https://tip.golang.org/doc/go1.19#:~:text=Read%20no%20longer%20buffers%20random%20data%20obtained%20from%20the%20operating%20system%20between%20calls
var randomReaderPool = sync.Pool{New: func() interface{} {
Copy link
Contributor Author

@trim21 trim21 Jul 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bufio.Reader is not thread-safe and sync.Pool perf better than mutex.

@codecov
Copy link

codecov bot commented Jul 22, 2023

Codecov Report

Patch coverage: 90.47% and project coverage change: +0.03 🎉

Comparison is base (626f13e) 92.77% compared to head (479045b) 92.81%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2492      +/-   ##
==========================================
+ Coverage   92.77%   92.81%   +0.03%     
==========================================
  Files          39       39              
  Lines        4635     4646      +11     
==========================================
+ Hits         4300     4312      +12     
+ Misses        243      242       -1     
  Partials       92       92              
Impacted Files Coverage Δ
middleware/util.go 90.76% <90.47%> (+3.73%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@aldas aldas merged commit b3ec8e0 into labstack:master Jul 22, 2023
11 checks passed
@aldas
Copy link
Contributor

aldas commented Jul 22, 2023

allright, people like me should not do security related things. @trim21 did not explain what we did before. Previously we had charset[rand.Int63()%int64(len(charset))] which was changed to charset[b%byte(len(charset))] that b is in range of 256 as @trim21 pointed out and moduling it with 52 (len(charset)) does not create equal possibilities.

Thank you @trim21

@aldas
Copy link
Contributor

aldas commented Jul 22, 2023

@trim21 would you like to add another PR that adds (doc)comment to randomString function that explains a little bit (more in depth) this bias when modulating rand.Int63() vs random byte. I think it would be beneficial for people who happen to skim over these parts or decide to copy it. I mean, I can not be only dummy in the world :)

PRs and their threads on Github are detached from the code and read rarely but library actual code is read more often - so it would be a great place to teach people not to be so security naive.

@trim21
Copy link
Contributor Author

trim21 commented Jul 22, 2023

@trim21 would you like to add another PR that adds (doc)comment to randomString function that explains a little bit (more in depth) this bias when modulating rand.Int63() vs random byte. I think it would be beneficial for people who happen to skim over these parts or decide to copy it. I mean, I can not be only dummy in the world :)

PRs and their threads on Github are detached from the code and read rarely but library actual code is read more often - so it would be a great place to teach people not to be so security naive.

I'm not very good at English...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants