refactor: switch to use SecureRandom for random strings

postalserver · Mar 4, 2024 · ce30c07 · ce30c07
1 parent cae4b63
commit ce30c07
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 8 deletions.
diff --git a/app/lib/smtp_server/client.rb b/app/lib/smtp_server/client.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "nifty/utils/random_string"
-
 module SMTPServer
   class Client
 

diff --git a/app/models/concerns/has_authentication.rb b/app/models/concerns/has_authentication.rb
@@ -30,7 +30,7 @@ def authenticate_with_previous_password_first(unencrypted_password)
   end
 
   def begin_password_reset(return_to = nil)
-    self.password_reset_token = Nifty::Utils::RandomString.generate(length: 24)
+    self.password_reset_token = SecureRandom.alphanumeric(24)
     self.password_reset_token_valid_until = 1.day.from_now
     save!
     AppMailer.password_reset(self, return_to).deliver

diff --git a/app/models/domain.rb b/app/models/domain.rb
@@ -164,7 +164,7 @@ def update_verification_token_on_method_change
     return unless verification_method_changed?
 
     if verification_method == "DNS"
-      self.verification_token = Nifty::Utils::RandomString.generate(length: 32)
+      self.verification_token = SecureRandom.alphanumeric(32)
     elsif verification_method == "Email"
       self.verification_token = rand(999_999).to_s.ljust(6, "0")
     else

diff --git a/app/senders/http_sender.rb b/app/senders/http_sender.rb
@@ -6,7 +6,7 @@ def initialize(endpoint, options = {})
     super()
     @endpoint = endpoint
     @options = options
-    @log_id = Nifty::Utils::RandomString.generate(length: 8).upcase
+    @log_id = SecureRandom.alphanumeric(8).upcase
   end
 
   def send_message(message)

diff --git a/lib/postal/message_db/database.rb b/lib/postal/message_db/database.rb
@@ -327,7 +327,7 @@ def query_on_connection(connection, query)
         time = Time.now.to_f - start_time
         logger.debug "  \e[4;34mMessageDB Query (#{time.round(2)}s) \e[0m  \e[33m#{query}\e[0m"
         if time > 0.05 && query =~ /\A(SELECT|UPDATE|DELETE) /
-          id = Nifty::Utils::RandomString.generate(length: 6).upcase
+          id = SecureRandom.alphanumeric(8)
           explain_result = ResultForExplainPrinter.new(connection.query("EXPLAIN #{query}"))
           logger.info "  [#{id}] EXPLAIN #{query}"
           ActiveRecord::ConnectionAdapters::MySQL::ExplainPrettyPrinter.new.pp(explain_result, time).split("\n").each do |line|

diff --git a/lib/postal/message_db/message.rb b/lib/postal/message_db/message.rb
@@ -488,7 +488,7 @@ def create_load(request)
       #
       def create_link(url)
         hash = Digest::SHA1.hexdigest(url.to_s)
-        token = Nifty::Utils::RandomString.generate(length: 8)
+        token = SecureRandom.alphanumeric(16)
         database.insert(:links, { message_id: id, hash: hash, url: url, timestamp: Time.now.to_f, token: token })
         token
       end
@@ -585,7 +585,7 @@ def _update
       def _create(queue: true)
         self.timestamp = Time.now.to_f if timestamp.blank?
         self.status = "Pending" if status.blank?
-        self.token = Nifty::Utils::RandomString.generate(length: 12) if token.blank?
+        self.token = SecureRandom.alphanumeric(16) if token.blank?
         last_id = @database.insert("messages", @attributes.except(:id))
         @attributes["id"] = last_id
         @database.statistics.increment_all(timestamp, scope)