[ZOOKEEPER-3197] Improve documentation in ZooKeeperServer.superSecret - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.6.0, 3.5.5
Component/s: None
Labels:
- pull-request-available

Description

A security scan flagged the use of a hard-coded secret (ZooKeeperServer.superSecret) in conjunction with a java Random instance to generate a password:

byte[] generatePasswd(long id)

{ Random r = new Random(id ^ superSecret); byte p[] = new byte[16]; r.nextBytes(p); return p; }

superSecret has the following javadoc:

/**
   * This is the secret that we use to generate passwords, for the moment it
   * is more of a sanity check.
   */

It is unclear from this comment and looking at the code why it is not a security risk. It would be good to update the javadoc along the lines of "Using a hard-coded secret with Random to generate a password is not a security risk because the resulting passwords are used for X, Y, Z and not for authentication etc" or something would be very helpful for anyone else looking at the code.

Attachments

Issue Links

Add Link

links to

GitHub Pull Request #752

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Unassigned

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Nov/18 19:18

Updated:: 20/May/19 20:50

Resolved:: 07/Jan/19 17:34

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Improve documentation in ZooKeeperServer.superSecret