From beca81c99074ecc98a6ad407aef95acfbba68743 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Thu, 16 Jul 2020 15:31:19 +0200
Subject: [PATCH] Fixes #5053 CWE-331 (#5056)

Replace uses of Random with SecureRandom.
We do not believe any of these uses of Random represent any security vulnerability, but we are making this
change for an abundance of caution and to avoid warnings from 3rd party scanning tools.
---
 .../org/eclipse/jetty/client/util/DigestAuthentication.java  | 4 ++--
 .../eclipse/jetty/client/util/MultiPartContentProvider.java  | 3 ++-
 .../org/eclipse/jetty/plus/webapp/PlusConfiguration.java     | 5 +++--
 .../eclipse/jetty/websocket/client/masks/RandomMasker.java   | 3 ++-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java b/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java
index 2327a35f0c38..37ce42b69680 100644
--- a/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java
@@ -22,10 +22,10 @@
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
 
 import org.eclipse.jetty.client.HttpClient;
@@ -46,6 +46,7 @@
  */
 public class DigestAuthentication extends AbstractAuthentication
 {
+    private static final SecureRandom random = new SecureRandom();
     private final String user;
     private final String password;
 
@@ -216,7 +217,6 @@ private String nextNonceCount()
 
         private String newClientNonce()
         {
-            Random random = new Random();
             byte[] bytes = new byte[8];
             random.nextBytes(bytes);
             return toHexString(bytes);
diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/util/MultiPartContentProvider.java b/jetty-client/src/main/java/org/eclipse/jetty/client/util/MultiPartContentProvider.java
index a3546550a91c..9110d5d86a8c 100644
--- a/jetty-client/src/main/java/org/eclipse/jetty/client/util/MultiPartContentProvider.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/util/MultiPartContentProvider.java
@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -69,6 +70,7 @@ public class MultiPartContentProvider extends AbstractTypedContentProvider imple
     private static final Logger LOG = Log.getLogger(MultiPartContentProvider.class);
     private static final byte[] COLON_SPACE_BYTES = new byte[]{':', ' '};
     private static final byte[] CR_LF_BYTES = new byte[]{'\r', '\n'};
+    private static final Random random = new SecureRandom();
 
     private final List<Part> parts = new ArrayList<>();
     private final ByteBuffer firstBoundary;
@@ -99,7 +101,6 @@ public MultiPartContentProvider(String boundary)
 
     private static String makeBoundary()
     {
-        Random random = new Random();
         StringBuilder builder = new StringBuilder("JettyHttpClientBoundary");
         int length = builder.length();
         while (builder.length() < length + 16)
diff --git a/jetty-plus/src/main/java/org/eclipse/jetty/plus/webapp/PlusConfiguration.java b/jetty-plus/src/main/java/org/eclipse/jetty/plus/webapp/PlusConfiguration.java
index 4695737f8d59..1744c227bc31 100644
--- a/jetty-plus/src/main/java/org/eclipse/jetty/plus/webapp/PlusConfiguration.java
+++ b/jetty-plus/src/main/java/org/eclipse/jetty/plus/webapp/PlusConfiguration.java
@@ -18,6 +18,7 @@
 
 package org.eclipse.jetty.plus.webapp;
 
+import java.security.SecureRandom;
 import java.util.Random;
 import javax.naming.Context;
 import javax.naming.InitialContext;
@@ -39,6 +40,7 @@
 public class PlusConfiguration extends AbstractConfiguration
 {
     private static final Logger LOG = Log.getLogger(PlusConfiguration.class);
+    private static final Random __random = new SecureRandom();
 
     private Integer _key;
 
@@ -99,8 +101,7 @@ protected void lockCompEnv(WebAppContext wac)
     {
         try (ThreadClassLoaderScope scope = new ThreadClassLoaderScope(wac.getClassLoader()))
         {
-            Random random = new Random();
-            _key = random.nextInt();
+            _key = __random.nextInt();
             Context context = new InitialContext();
             Context compCtx = (Context)context.lookup("java:comp");
             compCtx.addToEnvironment(NamingContext.LOCK_PROPERTY, _key);
diff --git a/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java b/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
index 3f67174e8517..5a9126a80213 100644
--- a/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
+++ b/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
@@ -18,6 +18,7 @@
 
 package org.eclipse.jetty.websocket.client.masks;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 import org.eclipse.jetty.websocket.common.WebSocketFrame;
@@ -28,7 +29,7 @@ public class RandomMasker implements Masker
 
     public RandomMasker()
     {
-        this(new Random());
+        this(new SecureRandom());
     }
 
     public RandomMasker(Random random)