Do not use a pseudo-random number to generate a secret

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: java-security/no-pseudo-random-secret

Language: Java

Severity: Warning

Category: Security

CWE: 338

Description

Never use the Random class to generate secrets. Instead, use the SecureRandom class.

Learn More

Non-Compliant Code Examples

class MyClass{
    public String generateSecretToken() {
        Random r = new Random();
        return Long.toHexString(r.nextLong());
    }
}

Compliant Code Examples

import org.apache.commons.codec.binary.Hex;

class Class {
    String generateSecretToken() {
        SecureRandom secRandom = new SecureRandom();

        byte[] result = new byte[32];
        secRandom.nextBytes(result);
        return Hex.encodeHexString(result);
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: ida.adjivon/rtrieu/DOCS-10715-ET-standalone