Skip to content

fqdn_rotate: Don't use the value itself as part of the random seed #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 2, 2015
Merged

fqdn_rotate: Don't use the value itself as part of the random seed #462

merged 3 commits into from
Jun 2, 2015

Conversation

elyscape
Copy link
Contributor

Previously, the random number generator was seeded with the array or string to be rotated in addition to any values specifically provided for seeding. This behavior is potentially insecure in that it allows an attacker who can modify the source data to choose the post-shuffle order. While this is probably not a particularly big issue, it's still worth changing.

This also improves the documentation for fqdn_rotate.

@puppet-community-ci
Copy link 

The result of the test was: PASS
Details at http://planck.nibalizer.com/buildlogs//puppetlabs+puppetlabs-stdlib+462+1432864204+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details

@DavidS
Copy link
Contributor

DavidS commented May 29, 2015

Hi @elyscape , I think I like that change, but I'm having a hard time to put into words why this is needed. Would you mind enhancing the commit message to explain that?

@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://planck.nibalizer.com/buildlogs/puppetlabs+puppetlabs-stdlib+462+1432892309+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@elyscape
Copy link
Contributor Author

@DavidS: Sure. Will do.

@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://ci.puppet.community/buildlogs/puppetlabs+puppetlabs-stdlib+462+1433062069+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@elyscape elyscape force-pushed the fix/fqdn_rotate_seeds_with_argument branch from a8cf2dc to 2478c40 Compare June 1, 2015 23:10
@elyscape
Copy link
Contributor Author

elyscape commented Jun 1, 2015

@DavidS: Done.

@elyscape
Copy link
Contributor Author

elyscape commented Jun 1, 2015

Hold up, there's a bug in the spec tests.

elyscape added 2 commits June 1, 2015 16:19
@elyscape
fqdn_rotate: Don't use the value itself as part of the random seed
601f681 
Previously, the random number generator was seeded with the array or
string to be rotated in addition to any values specifically provided for
seeding. This behavior is potentially insecure in that it allows an
attacker who can modify the source data to choose the post-shuffle
order.
@elyscape
fqdn_rotate: Improve documentation
d7c8460
@elyscape elyscape force-pushed the fix/fqdn_rotate_seeds_with_argument branch from 2478c40 to d7c8460 Compare June 1, 2015 23:20
@elyscape
Copy link
Contributor Author

elyscape commented Jun 1, 2015

Or not. By chance, the rotation in this test is the same before and after the change.

That being said, question: why was this test added?

it {
  pending("Current implementation ignores parameters after the first.")
  is_expected.to run.with_params("one", "two").and_raise_error(Puppet::ParseError)
}

This has never been the case. It has always accepted a seed in the second parameter. In light of that, I have removed it.

@elyscape
Copy link
Contributor Author

elyscape commented Jun 1, 2015

Ah, looks like there are no spec tests for the custom seed functionality. I'll add some real quick.

@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://ci.puppet.community/buildlogspuppetlabs+puppetlabs-stdlib+462+1433201432+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://ci.puppet.community/buildlogspuppetlabs+puppetlabs-stdlib+462+1433202081+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@elyscape
Copy link
Contributor Author

elyscape commented Jun 1, 2015

Okay, improved spec tests are in. Improved acceptance tests will come in another PR that will also improve the acceptance tests for fqdn_rand_string().

@elyscape elyscape mentioned this pull request Jun 1, 2015
Merged
@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://ci.puppet.community/buildlogspuppetlabs+puppetlabs-stdlib+462+1433202713+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@elyscape elyscape force-pushed the fix/fqdn_rotate_seeds_with_argument branch from 1e9d82e to b436216 Compare June 2, 2015 00:03
@puppet-community-ci
Copy link

The result of the test was: PASS
Details at http://ci.puppet.community/buildlogspuppetlabs+puppetlabs-stdlib+462+1433204642+PASS

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

DavidS added a commit that referenced this pull request Jun 2, 2015
@DavidS
Merge pull request #462 from elyscape/fix/fqdn_rotate_seeds_with_argu…
07e8b39 
…ment

fqdn_rotate: Don't use the value itself as part of the random seed
@DavidS DavidS merged commit 07e8b39 into puppetlabs:master Jun 2, 2015
@DavidS
Copy link
Contributor

DavidS commented Jun 2, 2015

Thank you for this work!

@elyscape elyscape deleted the fix/fqdn_rotate_seeds_with_argument branch June 2, 2015 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@elyscape @puppet-community-ci @DavidS @jordanbreen28