-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
math/rand: deprecate Read #20661
Comments
We can't change this for Go 1, so I've tagged this for Go2 for consideration in the future. |
You can always do
That at least makes it clearer at the callsite what you intended. |
@bradfitz - makes sense; is there a warning capability in the Go 1 compiler? |
Intentionally not. See the https://golang.org/doc/faq#unused_variables_and_imports answer. |
Why can't we just add new alias functions with a suffix like Crypto e.g. ReadCrypto/NewCrypto/NewSourceCrypto/etc... That way we still have the 1.0 compatibility and makes it easier for people to make sure they are using the correct rand. |
I suppose we could, but we generally try to avoid having two ways to do the same thing. |
Well I'm not in the affected group so I'll let you guys debate if the pros outweigh the cons. But I can imagine some company having a security vulnerability cause of some late night coding where someone auto imported math/rand instead of crypto/rand. |
Your security vulnerability scenario involves all of the following failures:
It's possible, but it's a bit of a stretch. I don't think it warrants fixing in Go 1.x where it can't be changed cleanly. In the meantime, file bugs against any auto-import tools that get it wrong. |
Also: tools like gas (https://github.com/GoASTScanner/gas) already catch this. |
I don't think we should change the name of the |
One possibility is to remove rand.Read in a v2 of math/rand, but another possibility (or a step toward that) would be to mark Read as Deprecated, like // Deprecated: For almost all use cases, crypto/rand.Read is more appropriate. |
This proposal has been added to the active column of the proposals project |
Does anyone object to marking math/rand.Read deprecated? |
Based on the discussion above, this proposal seems like a likely accept. |
Change https://go.dev/cl/436955 mentions this issue: |
Change https://go.dev/cl/436956 mentions this issue: |
No change in consensus, so accepted. 🎉 |
For #20661. Change-Id: I1e638cb619e643eadc210d71f92bd1af7bafc912 Reviewed-on: https://go-review.googlesource.com/c/go/+/436955 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: hopehook <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Robert Griesemer <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]>
For golang#20661. Change-Id: I1e638cb619e643eadc210d71f92bd1af7bafc912 Reviewed-on: https://go-review.googlesource.com/c/go/+/436955 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: hopehook <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Robert Griesemer <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]>
one can use gosec linter with golanglint-ci like so golangci-lint run --disable-all --enable gosec |
Just FYI this exact issue caused a CVE in rclone https://nvd.nist.gov/vuln/detail/CVE-2020-28924 The code when written used the correct crypto/rand but after some refactoring the import on the file got changed to math/rand and no one noticed 😟 I suspect goimports might have been involved. It was certainly in use then! |
#59629 suggest add math/rand.InsecureRand |
What version of Go are you using (
go version
)?1.7.3
What operating system and processor architecture are you using (
go env
)?all
What did you do?
I wrote https://play.golang.org/p/WpSHEv_Mc7
I should have written https://play.golang.org/p/Ho8Ior-om7
In practice, the import statement and the function invocation are not one line apart, but separated by a lot of code. Also, IDEs may automatically import the wrong package.
What did you expect to see?
I expected crypto rand to be obviously different than math rand. Something like:
while,
This makes it super clear that one is not like the other, and helps the developer decide which to use. Also helps code reviewers determine if there is an obvious error.
Security should be explicit.
What did you see instead?
I saw experienced and inexperienced developers both make the same mistake of using math/rand instead of crypto/rand, and code reviews miss the problem.
The text was updated successfully, but these errors were encountered: