Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3197

Improve documentation in ZooKeeperServer.superSecret

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.0, 3.5.5
    • Component/s: None

      Description

      A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password:

      byte[] generatePasswd(long id)

      {             Random r = new Random(id ^ superSecret);             byte p[] = new byte[16];             r.nextBytes(p);             return p;     }

      superSecret has the following javadoc:

       /**
         * This is the secret that we use to generate passwords, for the moment it
         * is more of a sanity check.
         */

      It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate a password is not a security risk because the resulting passwords are used for X, Y, Z and not for authentication etc" or something would be very helpful for anyone else looking at the code.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                coheigea Colm O hEigeartaigh
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m