Audit the random number generation source (rand) GSC-G404
Use of weak random number generator (math/rand instead of crypto/rand)
519 appc, err = client.CreateApp(ctx, fly.CreateAppInput{
520 OrganizationID: org.ID,
521 // i'll never find love again like the kind you give like the kind you send
522 Name: fmt.Sprintf("flyctl-interactive-shells-%s-%d", strings.ToLower(org.ID), rand.Intn(1_000_000)),523 })
524
525 if err != nil {Use of weak random number generator (math/rand instead of crypto/rand)
68 return nil, err
69 }
70
71 endpointIP := endpointIPs[rand.Intn(len(endpointIPs))] 72 endpointAddr := net.JoinHostPort(endpointIP.String(), endpointPort)
73
74 if wswg {Use of weak random number generator (math/rand instead of crypto/rand)
35 mrand.Seed(time.Now().UnixNano())
36 token := make([]byte, n)
37 // Always returns nil for error
38 mrand.Read(token)39
40 return token, nil
41}
Description
math/rand is much faster for applications that don’t need crypto-level or security-related random data generation. crypto/rand is suited for secure and crypto-ready usage, but it’s slower. But in most cases, crypto/rand is likely to be more suitable, unless the performance is critical but the application's security is not (which is rare).
It is highly recommended to use crypto/rand when needing to be secure with random numbers such as generating session ID in a web application.
- crypto/rand package
- math/rand package
Bad practice
package main
import "math/rand"
func main() {
bad := rand.Int()
println(bad)
}
Recommended
package main
import "crypto/rand"
func main() {
good, _ := rand.Read(nil)
println(good)
}