Skip to content

RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

Low severity GitHub Reviewed Published Feb 4, 2021 in Masterminds/goutils • Updated May 20, 2024

Package

gomod github.com/Masterminds/goutils (Go)

Affected versions

< 1.1.1

Patched versions

1.1.1

Description

Impact

A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB.

The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations.

This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.

The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. That restriction has been removed.

Patches

This issue has been corrected in v1.1.1.

Workarounds

If you cannot upgrade to v1.1.1, you can work around the issue by calling RandomAlphaNumericCustom(N, true, true)|CryptoRandomAlphaNumericCustom(N, true, true) instead. (Where N is the desired length, and true is the literal boolean true.)

References

@technosophos technosophos published to Masterminds/goutils Feb 4, 2021
Reviewed May 21, 2021
Published to the GitHub Advisory Database May 21, 2021
Last updated May 20, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-xg2h-wx96-xgxr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.