Secure Source of Randomness #1038

denniszelada · 2023-12-11T20:55:51Z

This codemod replaces all instances of functions in the random module (e.g. random.random() with their, much more secure, equivalents from the secrets module (e.g. secrets.SystemRandom().random()).

There is significant algorithmic complexity in getting computers to generate genuinely unguessable random bits. The random.random() function uses a method of pseudo-random number generation that unfortunately emits fairly predictable numbers.

If the numbers it emits are predictable, then it's obviously not safe to use in cryptographic operations, file name creation, token construction, password generation, and anything else that's related to security. In fact, it may affect security even if it's not directly obvious.

Switching to a more secure version is simple and the changes look something like this:

- import random
+ import secrets
  ...
- random.random()
+ secrets.SystemRandom().random()

References:

mmabrouk

Thanks for the PR @denniszelada !

Secure Source of Randomness

99c8a4d

mmabrouk approved these changes Dec 12, 2023

View reviewed changes

mmabrouk merged commit f90dfee into Agenta-AI:main Dec 12, 2023
2 of 3 checks passed

techemmy mentioned this pull request Mar 24, 2024

[Snyk] Upgrade posthog-js from 1.78.2 to 1.110.0 techemmy/agenta#4

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secure Source of Randomness #1038

Secure Source of Randomness #1038

denniszelada commented Dec 11, 2023

mmabrouk left a comment

Secure Source of Randomness #1038

Secure Source of Randomness #1038

Conversation

denniszelada commented Dec 11, 2023

mmabrouk left a comment

Choose a reason for hiding this comment