NOISSUE - Security fixes (#3243)

Signed-off-by: dusan <borovcanindusan1@gmail.com>

auth/hasher/hasher.go

@@ -4,11 +4,10 @@
 package hasher
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"strings"
-	"time"
 
 	"github.com/absmach/supermq/auth"
 	"github.com/absmach/supermq/pkg/errors"
@@ -76,7 +75,6 @@ func (bh *bcryptHasher) Compare(plain, hashed string) error {
 }
 
 func generateSalt(length int) ([]byte, error) {
-	rand.New(rand.NewSource(time.Now().UTC().UnixNano()))
 	salt := make([]byte, length)
 	_, err := rand.Read(salt)
 	if err != nil {

auth/postgres/repo.go

@@ -493,9 +493,9 @@ func (pr *patRepo) processScope(ctx context.Context, sc auth.Scope) (auth.Scope,
 }
 
 func (pr *patRepo) RemoveScope(ctx context.Context, userID string, scopesIDs ...string) error {
-	deleteScopesQuery := fmt.Sprintf(`DELETE FROM pat_scopes WHERE id IN ('%s')`, strings.Join(scopesIDs, ","))
+	deleteScopesQuery := `DELETE FROM pat_scopes WHERE id = ANY($1)`
 
-	res, err := pr.db.ExecContext(ctx, deleteScopesQuery)
+	res, err := pr.db.ExecContext(ctx, deleteScopesQuery, scopesIDs)
 	if err != nil {
 		return errors.Wrap(repoerr.ErrRemoveEntity, err)
 	}

auth/service.go

@@ -5,8 +5,8 @@ package auth
 
 import (
 	"context"
+	"crypto/rand"
 	"encoding/base64"
-	"math/rand"
 	"strings"
 	"time"
 
@@ -723,7 +723,12 @@ func (svc service) generateSecretAndHash(userID, patID string) (string, string,
 		return "", "", errors.Wrap(errFailedToParseUUID, err)
 	}
 
-	secret := patPrefix + patSecretSeparator + encode(uID, pID) + patSecretSeparator + generateRandomString(100)
+	randomPart, err := generateRandomString(100)
+	if err != nil {
+		return "", "", err
+	}
+
+	secret := patPrefix + patSecretSeparator + encode(uID, pID) + patSecretSeparator + randomPart
 	secretHash, err := svc.hasher.Hash(secret)
 	return secret, secretHash, err
 }
@@ -750,14 +755,19 @@ func decode(encoded string) (uuid.UUID, uuid.UUID, error) {
 	return userID, patID, nil
 }
 
-func generateRandomString(n int) string {
+func generateRandomString(n int) (string, error) {
 	letterRunes := []rune(randStr)
-	rand.New(rand.NewSource(time.Now().UnixNano()))
 	b := make([]rune, n)
-	for i := range b {
-		b[i] = letterRunes[rand.Intn(len(letterRunes))]
+	randBytes := make([]byte, n)
+
+	if _, err := rand.Read(randBytes); err != nil {
+		return "", errors.Wrap(errors.New("failed to generate random string"), err)
 	}
-	return string(b)
+
+	for i := range b {
+		b[i] = letterRunes[int(randBytes[i])%len(letterRunes)]
+	}
+	return string(b), nil
 }
 
 func (svc service) authnAuthzUserPAT(ctx context.Context, token, patID string) (Key, error) {

pkg/ulid/ulid.go

@@ -5,7 +5,8 @@
 package ulid
 
 import (
-	"math/rand"
+	"crypto/rand"
+	"io"
 	"time"
 
 	"github.com/absmach/supermq"
@@ -19,15 +20,13 @@ var ErrGeneratingID = errors.New("generating id failed")
 var _ supermq.IDProvider = (*ulidProvider)(nil)
 
 type ulidProvider struct {
-	entropy *rand.Rand
+	entropy io.Reader
 }
 
 // New instantiates a ULID provider.
 func New() supermq.IDProvider {
-	seed := time.Now().UnixNano()
-	source := rand.NewSource(seed)
 	return &ulidProvider{
-		entropy: rand.New(source),
+		entropy: rand.Reader,
 	}
 }
 

users/service.go

@@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"fmt"
-	mrand "math/rand"
 	"net/mail"
 	"regexp"
 	"strings"
@@ -743,18 +742,17 @@ func extractEmailPrefix(email string) string {
 }
 
 func generateRandomID() string {
-	randomBytes := make([]byte, 0, 16)
+	// Generate 8 random bytes (will result in 16 hex chars, truncated to 10)
+	randomBytes := make([]byte, 8)
 	if _, err := rand.Read(randomBytes); err != nil {
-		return fmt.Sprintf("%x", time.Now().UnixNano())[:10]
+		// Fallback: use UUID if crypto/rand fails (should never happen)
+		id, uuidErr := uuid.NewV4()
+		if uuidErr != nil {
+			// Last resort fallback
+			return fmt.Sprintf("%x", time.Now().UnixNano())[:10]
+		}
+		return hex.EncodeToString(id.Bytes())[:10]
 	}
-	id, err := uuid.NewV4()
-	if err == nil {
-		randomBytes = append(randomBytes, id.Bytes()...)
-	}
-
-	mrand.Shuffle(len(randomBytes), func(i, j int) {
-		randomBytes[i], randomBytes[j] = randomBytes[j], randomBytes[i]
-	})
 	return hex.EncodeToString(randomBytes)[:10]
 }