Details
-
Task
-
Status: Closed
-
Trivial
-
Resolution: Fixed
-
None
-
None
Description
A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password:
byte[] generatePasswd(long id)
{ Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; }superSecret has the following javadoc:
/**
* This is the secret that we use to generate passwords, for the moment it
* is more of a sanity check.
*/
It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate a password is not a security risk because the resulting passwords are used for X, Y, Z and not for authentication etc" or something would be very helpful for anyone else looking at the code.
Attachments
Issue Links
- links to
