From 847cd5fe0cd55f91087eace9387f2b3e0e09b35f Mon Sep 17 00:00:00 2001 From: vikingowl Date: Sun, 24 May 2026 16:22:50 +0200 Subject: [PATCH] fix(security): use crypto/rand for session-ID suffix Semgrep flagged math/rand for the /tmp artifact-directory session-ID generation. Modern Go (1.20+) auto-seeds the global math/rand source so this wasn't exploitable in practice, but crypto/rand is the idiomatic choice for any security-adjacent identifier and removes the finding from future security audits. Drops the mrand alias entirely; reads 8 random bytes once and masks to 24 bits to preserve the existing %06x suffix format. --- cmd/gnoma/main.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cmd/gnoma/main.go b/cmd/gnoma/main.go index cdd9b07..5d59628 100644 --- a/cmd/gnoma/main.go +++ b/cmd/gnoma/main.go @@ -2,13 +2,14 @@ package main import ( "context" + "crypto/rand" + "encoding/binary" "encoding/json" "errors" "flag" "fmt" "io" "log/slog" - mrand "math/rand" "os" "os/signal" "path/filepath" @@ -656,10 +657,14 @@ func main() { } permChecker := permission.NewChecker(permission.Mode(*permMode), permRules, pipePromptFn) - // Generate session-scoped ID for /tmp artifact directory + // Generate session-scoped ID for /tmp artifact directory. + // Use crypto/rand so the suffix isn't predictable even if a future + // caller seeds math/rand deterministically (e.g., in tests). + var randBuf [8]byte + _, _ = rand.Read(randBuf[:]) sessionID := fmt.Sprintf("%s-%06x", time.Now().Format("20060102-150405"), - mrand.Int63()&0xffffff, + binary.BigEndian.Uint64(randBuf[:])&0xffffff, ) // Pass the firewall's incognito mode so Save no-ops while incognito // is active. Mode is consulted on every Save (dynamic), so TUI