diff options
author | Dan Callahan <danc@element.io> | 2021-05-14 10:58:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-14 10:58:46 +0100 |
commit | 498084228b89d30462df0a5adfcc737fdc21d314 (patch) | |
tree | 5682ee85ae6667222390ff02fccc61da834deacc | |
parent | Support enabling opentracing by user (#9978) (diff) | |
download | synapse-498084228b89d30462df0a5adfcc737fdc21d314.tar.xz |
Use Python's secrets module instead of random (#9984)
Functionally identical, but more obviously cryptographically secure. ...Explicit is better than implicit? Avoids needing to know that SystemRandom() implies a CSPRNG, and complies with the big scary red box on the documentation for random: > Warning: > The pseudo-random generators of this module should not be used for > security purposes. For security or cryptographic uses, see the > secrets module. https://docs.python.org/3/library/random.html Signed-off-by: Dan Callahan <danc@element.io>
-rw-r--r-- | changelog.d/9984.misc | 1 | ||||
-rw-r--r-- | synapse/util/stringutils.py | 19 |
2 files changed, 12 insertions, 8 deletions
diff --git a/changelog.d/9984.misc b/changelog.d/9984.misc new file mode 100644 index 0000000000..97bd747f26 --- /dev/null +++ b/changelog.d/9984.misc @@ -0,0 +1 @@ +Simplify a few helper functions. diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py index 4f25cd1d26..40cd51a8ca 100644 --- a/synapse/util/stringutils.py +++ b/synapse/util/stringutils.py @@ -13,8 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. import itertools -import random import re +import secrets import string from collections.abc import Iterable from typing import Optional, Tuple @@ -35,18 +35,21 @@ CLIENT_SECRET_REGEX = re.compile(r"^[0-9a-zA-Z\.=_\-]+$") # MXC_REGEX = re.compile("^mxc://([^/]+)/([^/#?]+)$") -# random_string and random_string_with_symbols are used for a range of things, -# some cryptographically important, some less so. We use SystemRandom to make sure -# we get cryptographically-secure randoms. -rand = random.SystemRandom() - def random_string(length: int) -> str: - return "".join(rand.choice(string.ascii_letters) for _ in range(length)) + """Generate a cryptographically secure string of random letters. + + Drawn from the characters: `a-z` and `A-Z` + """ + return "".join(secrets.choice(string.ascii_letters) for _ in range(length)) def random_string_with_symbols(length: int) -> str: - return "".join(rand.choice(_string_with_symbols) for _ in range(length)) + """Generate a cryptographically secure string of random letters/numbers/symbols. + + Drawn from the characters: `a-z`, `A-Z`, `0-9`, and `.,;:^&*-_+=#~@` + """ + return "".join(secrets.choice(_string_with_symbols) for _ in range(length)) def is_ascii(s: bytes) -> bool: |