GO-S1033 · Random number generator seed doesn't have enough entropy

deepsourcestatus / test-repository

Active

Random number generator seed doesn't have enough entropy GO-S1033

Security

Major

8 months ago — 8 months old

a02 cwe-336 cwe-337 owasp top 10 cwe-331

Time based seeds have insufficient entropy

go/hash.go

 8)
 9
10func randomSeed() uint32 {
11	rand.Seed(time.Now().UnixNano())12	seeds := []uint32{0xCAFE, 0xcaFE, 0xcafe, 0xCAAF, 0xFACE}
13	min, max := 0, len(seeds)-1
14	return seeds[rand.Intn(max-min+1)+min]

Description

As math/rand uses a statistical random number generator, using a low entropy seed (such as constants and the current system time) may allow an attacker to predict what the following number generated is.

Bad practice

package main

import (
    "math/rand"
    "time"
)

func main() {
    rand.Seed(42)                // constant seeds are bad
    rand.Seed(time.Now().Unix()) // time based seeds don't have sufficient entropy
}

References

OWASP A2:2021
CWE-331
CWE-336
CWE-337