Generator-jhipster: Bug bounty for solving security issue - thank you @atomfrede

Created on 13 Sep 2019  路  9Comments  路  Source: jhipster/generator-jhipster

This is linked to https://github.com/jhipster/generator-jhipster/issues/10401

As discussed in the security advisory (not public yet), we put a $300 bug bounty for who was solving the issue (so $500 for reporting the issue, and $300 for solving it!).

@atomfrede you seem to have done the fix, so I'm assigning this to you, and adding the bounty here so we follow our usual process.

$$ bug-bounty $$ $300
Source
picture jdubois
👍71 🎉1

Most helpful comment

Bounty claimed https://opencollective.com/generator-jhipster/expenses/10062 Thanks @jdubois for putting the bounty! It was great to work with everyone keeping calm on that issue!

picture atomfrede on 13 Sep 2019
🎉2

All 9 comments

Bounty claimed https://opencollective.com/generator-jhipster/expenses/10062 Thanks @jdubois for putting the bounty! It was great to work with everyone keeping calm on that issue!

atomfrede picture atomfrede on 13 Sep 2019
🎉2

Yes that was awesome to work together on this!

jdubois picture jdubois on 13 Sep 2019

@atomfrede : can we close this ticket ?

pascalgrimaud picture pascalgrimaud on 16 Sep 2019

Yes

atomfrede picture atomfrede on 16 Sep 2019

Thanks for solving this problem!

in the upgrade it states:

How to fix the issue you probably don鈥檛 need to upgrade JHipster, as this just affects a few generated files, so this can be done manually. The issue is in the generated RandomUtil class. Here is this class in our sample application generated with JHipster v6.2.0 and here is the updated version, using JHipster v6.3.0. So all you need to do is copy the new file, which uses SecureRandom, and replace the older file.

Which is not totally true because these methods has been removed:

/**
 * Generate a unique series to validate a persistent token, used in the
 * authentication remember-me mechanism.
 *
 * @return the generated series data.
 */
public static String generateSeriesData() {
    return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
}
/**
 * Generate a persistent token, used in the authentication remember-me mechanism.
 *
 * @return the generated token data.
 */
public static String generateTokenData() {
    return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
}

should they be added with:

    return generateRandomAlphanumericString();
tibistibi picture tibistibi on 19 Sep 2019

@tibistibi the methods signatures of RandomUtil should be the same, what is inside those methods did change

jdubois picture jdubois on 19 Sep 2019

yes clear! maybe good to add the information to the upgrade page?

tibistibi picture tibistibi on 19 Sep 2019

so for me i could fix it by replacing the RandomUtil file and add this:


/**
 * Generate a unique series to validate a persistent token, used in the
 * authentication remember-me mechanism.
 *
 * @return the generated series data.
 */
public static String generateSeriesData() {
    return generateRandomAlphanumericString();
}
/**
 * Generate a persistent token, used in the authentication remember-me mechanism.
 *
 * @return the generated token data.
 */
public static String generateTokenData() {
    return generateRandomAlphanumericString();
}
tibistibi picture tibistibi on 19 Sep 2019

@tibistibi RandomUtil depends on your auth type, Session auth has some extra methods. I couldn't find sample apps for Session or UAA, so you can see the various options here: https://github.com/ruddell/jhipster-examples/tree/cve-random-util-fixes

ruddell picture ruddell on 19 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

frantzynicolas picture frantzynicolas  路  3Comments
shivroy121 picture shivroy121  路  3Comments
tomj0101 picture tomj0101  路  3Comments
SudharakaP picture SudharakaP  路  3Comments
lsadehaan picture lsadehaan  路  3Comments