From 41605aaac1ec9fb0020c663b703255ee2cf3615f Mon Sep 17 00:00:00 2001 From: Pavlo Shchelokovskyy Date: Mon, 22 Jan 2018 18:17:37 +0200 Subject: [PATCH] Replace random with SystemRandom for RandomString it might be theoretically possible to infer the state of standard Python's RNG in a long-running heat-engine service from multiple created RandomString resources. Let's use the random.SystemRandom (and os.urandom) for OS::Heat::RandomString instead. Change-Id: Iac5c03176fc8bae95ada883621196bd9cb453be3 Closes-Bug: #1745931 --- heat/engine/resources/openstack/heat/random_string.py | 6 +++++- .../notes/system-random-string-38a14ae2cb6f4a24.yaml | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml diff --git a/heat/engine/resources/openstack/heat/random_string.py b/heat/engine/resources/openstack/heat/random_string.py index d4758531ec..9052b5062a 100644 --- a/heat/engine/resources/openstack/heat/random_string.py +++ b/heat/engine/resources/openstack/heat/random_string.py @@ -11,7 +11,7 @@ # License for the specific language governing permissions and limitations # under the License. -import random +import random as random_module import string import six @@ -25,6 +25,10 @@ from heat.engine import resource from heat.engine import support from heat.engine import translation +# NOTE(pas-ha) Heat officially supports only POSIX::Linux platform +# where os.urandom() and random.SystemRandom() are available +random = random_module.SystemRandom() + class RandomString(resource.Resource): """A resource which generates a random string. diff --git a/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml b/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml new file mode 100644 index 0000000000..713317c8ff --- /dev/null +++ b/releasenotes/notes/system-random-string-38a14ae2cb6f4a24.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Heat no longer uses standard Python RNG when generating values for + OS::Heat::RandomString resource, and instead relies on system's RNG + for that.