Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnMmgtd3g5Ni14Z3hy
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
Impact
A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB.
The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations.
This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.
The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. That restriction has been removed.
Patches
This issue has been corrected in v1.1.1.
Workarounds
If you cannot upgrade to v1.1.1, you can work around the issue by calling RandomAlphaNumericCustom(N, true, true)|CryptoRandomAlphaNumericCustom(N, true, true) instead. (Where N is the desired length, and true is the literal boolean true.)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnMmgtd3g5Ni14Z3hy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-xg2h-wx96-xgxr
References:
- https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr
- https://github.com/Masterminds/goutils/commit/f1923532a168b8203bfe956d8cd3b17ebece5982
- https://github.com/Masterminds/goutils/releases/tag/v1.1.1
- https://github.com/advisories/GHSA-xg2h-wx96-xgxr
Blast Radius: 0.0
Affected Packages
go:github.com/Masterminds/goutils
Dependent packages: 6,878Dependent repositories: 19,393
Downloads:
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 1.0.1, 1.1.0
All unaffected versions: 1.1.1