From 62124525d7e1b0c750848862e652c34067a2e0ba Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sat, 8 Jun 2024 18:31:11 -0700 Subject: [PATCH] Secure Source of Randomness (#1695) * Secure Source of Randomness * lint --------- Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> Co-authored-by: burnettk --- .../src/spiffworkflow_backend/models/user.py | 5 +++-- .../routes/script_unit_tests_controller.py | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py index b600df7b..3ca4b130 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/user.py @@ -2,6 +2,7 @@ from __future__ import annotations import math import random +import secrets import string import time from dataclasses import dataclass @@ -133,7 +134,7 @@ class UserModel(SpiffworkflowBaseDBModel): ] fuzz = "".join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(7)) # this is not for cryptographic purposes - adjective = random.choice(adjectives) # noqa: S311 - animal = random.choice(animals) # noqa: S311 + adjective = secrets.choice(adjectives) # noqa: S311 + animal = secrets.choice(animals) # noqa: S311 username = f"{prefix}{adjective}{animal}{fuzz}" return username diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py index 6be0b050..02d0c15a 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py @@ -1,7 +1,7 @@ """APIs for dealing with process groups, process models, and process instances.""" import json -import random +import secrets import string import flask.wrappers @@ -77,7 +77,7 @@ def script_unit_test_create(modified_process_model_identifier: str, body: dict[s else: unit_test_elements = unit_test_elements_array[0] - fuzz = "".join(random.choice(string.ascii_uppercase + string.digits) for _ in range(7)) # noqa: S311 + fuzz = "".join(secrets.choice(string.ascii_uppercase + string.digits) for _ in range(7)) # noqa: S311 unit_test_id = f"unit_test_{fuzz}" input_json_element = spiff_element_maker("inputJson", json.dumps(input_json))