[LANG-1750] Using RandomStringUtils.insecure() still leads to using the secure() random - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.16.0
Fix Version/s: 3.17.0
Component/s: lang.*
Labels:
None

Description

In RandomStringUtils v3.16, the use of secure() vs insecure() is used to be able to choose which random generator to use. However, consider the following code path:

a) RandomStringUtils.insecure().nextAlphanumeric(length)

leads to the instance method 'nextAlphanumeric, which in turn calls:

b) static method RandomStringUtils.random(count, true, true)

which in turn calls

c) static method RandomStringUtils.secure().next(count, letters, numbers)

Conclusion: where I want to use the "insecure" option path, I end up having the call forwarded to the "secure" random provider anyway. Where I then run into the problem of having too low entropy and experiencing terrible performance.... (see ~~LANG-1748~~)

Attachments

Activity

People

Assignee:: Gary D. Gregory

Reporter:: Marco Hoek

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 13/Aug/24 22:46

Updated:: 14/Aug/24 12:45

Resolved:: 13/Aug/24 23:47