From df88762ec23a0c6b2a26411956f750f8051c07aa Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Sep 2020 11:02:02 -0400
Subject: [PATCH] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in
 RandomUtil

This fixes a security vulnerability in this project where the `RandomUtil.java`
file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of
a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for
security sensitive data.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
---
 .../eu/cloudopting/service/util/RandomUtil.java | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/common-component/src/main/java/eu/cloudopting/service/util/RandomUtil.java b/common-component/src/main/java/eu/cloudopting/service/util/RandomUtil.java
index 68d4e41c..c3081371 100644
--- a/common-component/src/main/java/eu/cloudopting/service/util/RandomUtil.java
+++ b/common-component/src/main/java/eu/cloudopting/service/util/RandomUtil.java
@@ -2,23 +2,34 @@
 
 import org.apache.commons.lang.RandomStringUtils;
 
+import java.security.SecureRandom;
+
 /**
  * Utility class for generating random Strings.
  */
 public final class RandomUtil {
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
 
     private static final int DEF_COUNT = 20;
 
+    static {
+        SECURE_RANDOM.nextBytes(new byte[64]);
+    }
+
     private RandomUtil() {
     }
 
+    private static String generateRandomAlphanumericString() {
+        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
+    }
+
     /**
      * Generates a password.
      *
      * @return the generated password
      */
     public static String generatePassword() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -27,7 +38,7 @@ public static String generatePassword() {
      * @return the generated activation key
      */
     public static String generateActivationKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 
     /**
@@ -36,6 +47,6 @@ public static String generateActivationKey() {
      * @return the generated reset key
      */
     public static String generateResetKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return generateRandomAlphanumericString();
     }
 }