From 6b9c6810aa253852575013f4fcd88ff2651b2fc2 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:03:29 +0000 Subject: [PATCH 1/2] Fix insecure randomness in ID generators Replaced `Random()` with `Random.secure()` in ID and random string generators to prevent predictability vulnerabilities. Affected files: - `lib/common_domain_models/lib/src/ids/src/id.dart` - `lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart` - `lib/sharezone_utils/lib/src/random_string/random_string.dart` Co-authored-by: nilsreichardt <24459435+nilsreichardt@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ .../abgabe_client_lib/lib/src/models/auto_id_generator.dart | 3 ++- lib/common_domain_models/lib/src/ids/src/id.dart | 4 ++-- .../lib/src/random_string/random_string.dart | 6 ++++-- 4 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 000000000..c05419b0e --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-05-24 - [Insecure Randomness for Identifiers] +**Vulnerability:** Weak random number generation (`Random()`) used for IDs, secrets, tokens, or security-sensitive identifiers. +**Learning:** `Random()` uses a linear congruential generator or similar PRNG algorithm that can be predicted with enough observations. Attackers can figure out the internal state and guess past or future IDs, leading to potential ID enumeration, session hijacking, or predicting sensitive values. +**Prevention:** Use `Random.secure()` from `dart:math` for generating any ID, token, or security-critical random value. diff --git a/lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart b/lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart index 86c44fb09..21424ed99 100644 --- a/lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart +++ b/lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart @@ -16,7 +16,8 @@ class AutoIdGenerator { static const String alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; - static final Random _random = Random(); + // Use Random.secure() to prevent predicting auto-generated IDs + static final Random _random = Random.secure(); /// Automatically Generates a random new Id static String autoId() { diff --git a/lib/common_domain_models/lib/src/ids/src/id.dart b/lib/common_domain_models/lib/src/ids/src/id.dart index 022a684c5..89b9809de 100644 --- a/lib/common_domain_models/lib/src/ids/src/id.dart +++ b/lib/common_domain_models/lib/src/ids/src/id.dart @@ -19,9 +19,9 @@ class Id { } /// Generates a new random [Id] with the given [length] using characters - /// from a-z, A-Z and 0-9. + /// from a-z, A-Z and 0-9. Uses [Random.secure] by default to prevent ID prediction. static Id generate({int length = 20, Random? random}) { - random ??= Random(); + random ??= Random.secure(); const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; final id = diff --git a/lib/sharezone_utils/lib/src/random_string/random_string.dart b/lib/sharezone_utils/lib/src/random_string/random_string.dart index 2322868a4..272dfb14a 100644 --- a/lib/sharezone_utils/lib/src/random_string/random_string.dart +++ b/lib/sharezone_utils/lib/src/random_string/random_string.dart @@ -9,7 +9,8 @@ import 'dart:math'; String randomString(int length) { - var rand = Random(); + // Use Random.secure() to prevent predictability of random strings + var rand = Random.secure(); var codeUnits = List.generate(length, (index) { return rand.nextInt(33) + 89; }); @@ -18,7 +19,8 @@ String randomString(int length) { } String randomIDString(int length) { - var rand = Random(); + // Use Random.secure() to prevent predictability of generated IDs + var rand = Random.secure(); const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; String result = ""; From fbe3a583291d94c252b1fef3154573a913d72120 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:08:23 +0000 Subject: [PATCH 2/2] Fix insecure randomness in ID generators Replaced `Random()` with `Random.secure()` in ID and random string generators to prevent predictability vulnerabilities. Affected files: - `lib/common_domain_models/lib/src/ids/src/id.dart` - `lib/abgabe/abgabe_client_lib/lib/src/models/auto_id_generator.dart` - `lib/sharezone_utils/lib/src/random_string/random_string.dart` Formatted `.jules/sentinel.md` using prettier to fix CI checks. Co-authored-by: nilsreichardt <24459435+nilsreichardt@users.noreply.github.com> --- .jules/sentinel.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index c05419b0e..5ffc29d8e 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -1,4 +1,5 @@ ## 2024-05-24 - [Insecure Randomness for Identifiers] + **Vulnerability:** Weak random number generation (`Random()`) used for IDs, secrets, tokens, or security-sensitive identifiers. **Learning:** `Random()` uses a linear congruential generator or similar PRNG algorithm that can be predicted with enough observations. Attackers can figure out the internal state and guess past or future IDs, leading to potential ID enumeration, session hijacking, or predicting sensitive values. **Prevention:** Use `Random.secure()` from `dart:math` for generating any ID, token, or security-critical random value.