From de7766f2451a7013b54c285f378bf7cbfef1d766 Mon Sep 17 00:00:00 2001 From: "leonid.marushevskiy" Date: Fri, 20 Dec 2013 16:43:55 +0200 Subject: [PATCH 1/4] VERACODE-659: fix of CWE ID 331 insufficient entropy in RandomLoadBalancer --- .../camel/processor/loadbalancer/RandomLoadBalancer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/RandomLoadBalancer.java b/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/RandomLoadBalancer.java index 9771c672178e3..9ace0bee571df 100644 --- a/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/RandomLoadBalancer.java +++ b/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/RandomLoadBalancer.java @@ -16,8 +16,8 @@ */ package org.apache.camel.processor.loadbalancer; +import java.security.SecureRandom; import java.util.List; -import java.util.Random; import org.apache.camel.Exchange; import org.apache.camel.Processor; @@ -29,7 +29,7 @@ */ public class RandomLoadBalancer extends QueueLoadBalancer { - private static final Random RANDOM = new Random(); + private static final SecureRandom RANDOM = new SecureRandom(); protected synchronized Processor chooseProcessor(List processors, Exchange exchange) { int size = processors.size(); From a1920ad74c7f10ce3148482bd7d033b530a3e681 Mon Sep 17 00:00:00 2001 From: "leonid.marushevskiy" Date: Fri, 20 Dec 2013 16:49:43 +0200 Subject: [PATCH 2/4] VERACODE-660: fix of CWE ID 331 insufficient entropy in RedeliveryPolicy --- .../org/apache/camel/processor/RedeliveryPolicy.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/camel-core/src/main/java/org/apache/camel/processor/RedeliveryPolicy.java b/camel-core/src/main/java/org/apache/camel/processor/RedeliveryPolicy.java index 2ed9305a3e383..8d68267ab0770 100644 --- a/camel-core/src/main/java/org/apache/camel/processor/RedeliveryPolicy.java +++ b/camel-core/src/main/java/org/apache/camel/processor/RedeliveryPolicy.java @@ -17,7 +17,7 @@ package org.apache.camel.processor; import java.io.Serializable; -import java.util.Random; +import java.security.SecureRandom; import org.apache.camel.Exchange; import org.apache.camel.LoggingLevel; @@ -75,7 +75,7 @@ * @version */ public class RedeliveryPolicy implements Cloneable, Serializable { - protected static Random randomNumberGenerator; + protected static SecureRandom randomNumberGenerator; private static final long serialVersionUID = -338222777701473252L; private static final Logger LOG = LoggerFactory.getLogger(RedeliveryPolicy.class); @@ -217,7 +217,7 @@ public long calculateRedeliveryDelay(long previousDelay, int redeliveryCounter) * First random determines +/-, second random determines how far to * go in that direction. -cgs */ - Random random = getRandomNumberGenerator(); + SecureRandom random = getRandomNumberGenerator(); double variance = (random.nextBoolean() ? collisionAvoidanceFactor : -collisionAvoidanceFactor) * random.nextDouble(); redeliveryDelayResult += redeliveryDelayResult * variance; @@ -544,9 +544,9 @@ public void setUseExponentialBackOff(boolean useExponentialBackOff) { this.useExponentialBackOff = useExponentialBackOff; } - protected static synchronized Random getRandomNumberGenerator() { + protected static synchronized SecureRandom getRandomNumberGenerator() { if (randomNumberGenerator == null) { - randomNumberGenerator = new Random(); + randomNumberGenerator = new SecureRandom(); } return randomNumberGenerator; } From a3ea9952d612a7214815d5ea3c2102fd7819eb6d Mon Sep 17 00:00:00 2001 From: "leonid.marushevskiy" Date: Fri, 20 Dec 2013 16:52:50 +0200 Subject: [PATCH 3/4] VERACODE-663: fix of CWE ID 331 insufficient entropy in WeightedRandomLoadBalancer --- .../processor/loadbalancer/WeightedRandomLoadBalancer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/WeightedRandomLoadBalancer.java b/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/WeightedRandomLoadBalancer.java index d566a8a5f42fd..ad56a9f91e973 100644 --- a/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/WeightedRandomLoadBalancer.java +++ b/camel-core/src/main/java/org/apache/camel/processor/loadbalancer/WeightedRandomLoadBalancer.java @@ -16,14 +16,14 @@ */ package org.apache.camel.processor.loadbalancer; +import java.security.SecureRandom; import java.util.List; -import java.util.Random; import org.apache.camel.Exchange; import org.apache.camel.Processor; public class WeightedRandomLoadBalancer extends WeightedLoadBalancer { - private final Random rnd = new Random(); + private final SecureRandom rnd = new SecureRandom(); private final int distributionRatioSum; private int runtimeRatioSum; From fa7a52fe6ce05a26c3826161fc8c3e42eebb2861 Mon Sep 17 00:00:00 2001 From: "leonid.marushevskiy" Date: Fri, 20 Dec 2013 16:56:10 +0200 Subject: [PATCH 4/4] VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil --- camel-core/src/main/java/org/apache/camel/util/FileUtil.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/camel-core/src/main/java/org/apache/camel/util/FileUtil.java b/camel-core/src/main/java/org/apache/camel/util/FileUtil.java index b624a210d84db..17ee881f8806d 100644 --- a/camel-core/src/main/java/org/apache/camel/util/FileUtil.java +++ b/camel-core/src/main/java/org/apache/camel/util/FileUtil.java @@ -21,9 +21,9 @@ import java.io.FileOutputStream; import java.io.IOException; import java.nio.channels.FileChannel; +import java.security.SecureRandom; import java.util.Iterator; import java.util.Locale; -import java.util.Random; import java.util.Stack; import org.slf4j.Logger; @@ -317,7 +317,7 @@ private static File createNewTempDir() { } // create a sub folder with a random number - Random ran = new Random(); + SecureRandom ran = new SecureRandom(); int x = ran.nextInt(1000000); File f = new File(s, "camel-tmp-" + x);