apache · spacewander · Dec 7, 2021 · Dec 3, 2021 · Dec 5, 2021 · Dec 5, 2021
diff --git a/apisix/patch.lua b/apisix/patch.lua
@@ -20,18 +20,25 @@ local ipmatcher = require("resty.ipmatcher")
 local socket = require("socket")
 local unix_socket = require("socket.unix")
 local ssl = require("ssl")
+local ngx = ngx
 local get_phase = ngx.get_phase
 local ngx_socket = ngx.socket
 local original_tcp = ngx.socket.tcp
 local original_udp = ngx.socket.udp
 local concat_tab = table.concat
+local debug = debug
 local new_tab = require("table.new")
 local log = ngx.log
 local WARN = ngx.WARN
 local ipairs = ipairs
 local select = select
 local setmetatable = setmetatable
+local string = string
+local table = table
 local type = type
+local tonumber = tonumber
+local tostring = tostring
+local min = math.min
 
 
 local config_local
@@ -86,6 +93,64 @@ do
 end
 
 
+do -- `_G.math.randomseed` patch
+
+    -- Seeds the random generator, use with care.
+    -- Once - properly - seeded, this method is replaced with a stub
+    -- one. This is to enforce best-practices for seeding in ngx_lua,
+    -- and prevents third-party modules from overriding our correct seed
+    -- (many modules make a wrong usage of `math.randomseed()` by calling
+    -- it multiple times or by not using unique seeds for Nginx workers).
+    -- Inspired by kong.globalpatches
+    local resty_random = require("resty.random")
+    local math_randomseed = math.randomseed
+    local seeded = {}
+
+    -- make linter happy
+    -- luacheck: ignore
+    math.randomseed = function()
+        local seed
+        local worker_pid = ngx.worker.pid()
+
+        -- check seed mark
+        if seeded[worker_pid] then
+            log(ngx.DEBUG, debug.traceback("attempt to seed already seeded random number " ..
+                                           "generator on process #" .. tostring(worker_pid), 2))
+            return
+        end
+
+        -- get randomseed
+        local bytes = resty_random.bytes(8)
+        if bytes then
+            log(ngx.DEBUG, "seeding from resty.random.bytes")
+
+            local t = {}
+            -- truncate the final number to prevent integer overflow,
+            -- since math.randomseed() could get cast to a platform-specific
+            -- integer with a different size and get truncated, hence, lose
+            -- randomness.
+            -- double-precision floating point should be able to represent numbers
+            -- without rounding with up to 15/16 digits but let's use 12 of them.
+            for i = 1, min(#bytes, 12) do
+                t[i] = string.byte(bytes, i)
+            end
+
+            local str = table.concat(t)
+            seed = tonumber(str)
+        else
+            log(ngx.ERR, "could not seed from resty.random.bytes, seeding ",
+                         "seeding with time and process id instead (this can ",
+                         "result to duplicated seeds)")
+
+            seed = ngx.now() * 1000 + worker_pid
+        end
+
+        seeded[worker_pid] = true
+        math_randomseed(seed)
+    end
+end -- do
+
+
 local patch_udp_socket
 do
     local old_udp_sock_setpeername