Sendgrid-csharp: Sendgrid is using cryptographically unsafe `ecdsa-dotnet`
Issue Summary
Currently ecdsa-dotnet has an issue where it is using Random in order to verify some signatures. It is troublesome for static analyzers like Veracode because they treat this as a vulnerability.
I currently submitted PR that should fix that issue in the upcoming version of ecdsa-dotnet.
Technical details:
- sendgrid-csharp version: Up from
[2020-06-24] Version 9.17.0which adds Elliptic curve code (the same code as inecdsa-dotnet) - csharp version: Any
shoter
All 4 comments
Hi @shoter
Thanks for bringing this to our attention. Is your suggestion to also use RandomNumberGenerator.GetBytes Method instead of random here?
JenniferMah
on 2 Feb 2021
I believe this Integer.cs was deleted from the code in favor of using ecdsa-dotnet.
But if you would like to bring it back then it would bring the same issue unless You use RandomNumberGenerator.GetBytes Method
For example for our project we need to work on version before Integer.cs was introduced because of this issue.
shoter
on 2 Feb 2021
@shoter So what it sounds like is we'll just have to bump our dependency version when a new version of ecdsa-dotnet is released with a fix. Until then, you're welcome to submit a PR here to bring back the local Elliptic Curve code solution, with the fix you're suggesting, so you can continue to use this helper library until your PR in ecdsa-dotnet is merged and released.
eshanholtz
on 4 Feb 2021
The ecdsa-dotnet project just updated to 1.3.1 (15 minutes ago), so we should be good to bump the dependency soon as they make a full release (latest release is still tagged as 1.3.0)
BeigeBox
on 6 Apr 2021
Related issues
mhagesfeld
路
3Comments
LorenDorez
路
4Comments
mawiseman
路
4Comments
digime99
路
5Comments
lebamb2
路
4Comments
Most helpful comment
The ecdsa-dotnet project just updated to 1.3.1 (15 minutes ago), so we should be good to bump the dependency soon as they make a full release (latest release is still tagged as 1.3.0)