[jira] [Updated] (ZOOKEEPER-3197) Improve documentation in ZooKeeperServer.superSecret
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated ZOOKEEPER-3197: -- Labels: pull-request-available (was: ) > Improve documentation in ZooKeeperServer.superSecret > > > Key: ZOOKEEPER-3197 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3197 > Project: ZooKeeper > Issue Type: Task >Reporter: Colm O hEigeartaigh >Priority: Trivial > Labels: pull-request-available > > A security scan flagged the use of a hard-coded secret > (ZooKeeperServer.superSecret) in conjunction with a java Random instance to > generate a password: > byte[] generatePasswd(long id) > { Random r = new Random(id ^ superSecret); byte p[] = > new byte[16]; r.nextBytes(p); return p; } > superSecret has the following javadoc: > /** > * This is the secret that we use to generate passwords, for the moment it > * is more of a sanity check. > */ > It is unclear from this comment and looking at the code why it is not a > security risk. It would be good to update the javadoc along the lines of > "Using a hard-coded secret with Random to generate a password is not a > security risk because the resulting passwords are used for X, Y, Z and not > for authentication etc" or something would be very helpful for anyone else > looking at the code. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (ZOOKEEPER-3197) Improve documentation in ZooKeeperServer.superSecret
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated ZOOKEEPER-3197: --- Description: A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password: byte[] generatePasswd(long id) { Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; } superSecret has the following javadoc: /** * This is the secret that we use to generate passwords, for the moment it * is more of a sanity check. */ It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate is not a security risk because the resulting passwords are used for X and not for authentication" or something would be very helpful for anyone else looking at the code. was: A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password: byte[] generatePasswd(long id) { Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; } superSecret has the following javadoc: /** * This is the secret that we use to generate passwords, for the moment it * is more of a sanity check. */ It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate is not a security risk because the resulting passwords are used for X and not for authentication" or something would be very helpful for anyone else looking at the code. > Improve documentation in ZooKeeperServer.superSecret > > > Key: ZOOKEEPER-3197 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3197 > Project: ZooKeeper > Issue Type: Task >Reporter: Colm O hEigeartaigh >Priority: Trivial > > A security scan flagged the use of a hard-coded secret > (ZooKeeperServer.superSecret) in conjunction with a java Random instance to > generate a password: > byte[] generatePasswd(long id) > { > Random r = new Random(id ^ superSecret); > byte p[] = new byte[16]; > r.nextBytes(p); > return p; > } > superSecret has the following javadoc: > /** > * This is the secret that we use to generate passwords, for the moment it > * is more of a sanity check. > */ > It is unclear from this comment and looking at the code why it is not a > security risk. It would be good to update the javadoc along the lines of > "Using a hard-coded secret with Random to generate is not a security risk > because the resulting passwords are used for X and not for authentication" or > something would be very helpful for anyone else looking at the code. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (ZOOKEEPER-3197) Improve documentation in ZooKeeperServer.superSecret
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated ZOOKEEPER-3197: --- Description: A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password: byte[] generatePasswd(long id) { Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; } superSecret has the following javadoc: /** * This is the secret that we use to generate passwords, for the moment it * is more of a sanity check. */ It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate a password is not a security risk because the resulting passwords are used for X, Y, Z and not for authentication etc" or something would be very helpful for anyone else looking at the code. was: A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password: byte[] generatePasswd(long id) { Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; } superSecret has the following javadoc: /** * This is the secret that we use to generate passwords, for the moment it * is more of a sanity check. */ It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate is not a security risk because the resulting passwords are used for X and not for authentication" or something would be very helpful for anyone else looking at the code. > Improve documentation in ZooKeeperServer.superSecret > > > Key: ZOOKEEPER-3197 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3197 > Project: ZooKeeper > Issue Type: Task >Reporter: Colm O hEigeartaigh >Priority: Trivial > > A security scan flagged the use of a hard-coded secret > (ZooKeeperServer.superSecret) in conjunction with a java Random instance to > generate a password: > byte[] generatePasswd(long id) > { Random r = new Random(id ^ superSecret); byte p[] = > new byte[16]; r.nextBytes(p); return p; } > superSecret has the following javadoc: > /** > * This is the secret that we use to generate passwords, for the moment it > * is more of a sanity check. > */ > It is unclear from this comment and looking at the code why it is not a > security risk. It would be good to update the javadoc along the lines of > "Using a hard-coded secret with Random to generate a password is not a > security risk because the resulting passwords are used for X, Y, Z and not > for authentication etc" or something would be very helpful for anyone else > looking at the code. -- This message was sent by Atlassian JIRA (v7.6.3#76005)