fix(security): use crypto/rand for alias prefix generation
Replace math/rand.Intn with crypto/rand for generating random alias prefixes. While aliases are not security tokens, using a CSPRNG ensures consistent use of cryptographically secure randomness throughout. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
78c4e9c3b0
commit
9870fa7831
1 changed files with 8 additions and 4 deletions
12
addy.go
12
addy.go
|
|
@ -3,13 +3,13 @@ package main
|
|||
import (
|
||||
"bytes"
|
||||
"crypto/hmac"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base32"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"fmt"
|
||||
"log"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
|
@ -230,10 +230,14 @@ func addyAliasAPIDelete(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
func generateRandomString(length int) string {
|
||||
charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
||||
const charset = "abcdefghijklmnopqrstuvwxyz0123456789"
|
||||
result := make([]byte, length)
|
||||
for i := range result {
|
||||
result[i] = charset[rand.Intn(len(charset))]
|
||||
buf := make([]byte, length)
|
||||
if _, err := rand.Read(buf); err != nil {
|
||||
panic("crypto/rand unavailable: " + err.Error())
|
||||
}
|
||||
for i, b := range buf {
|
||||
result[i] = charset[int(b)%len(charset)]
|
||||
}
|
||||
return string(result)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue