Fix DUO102 warnings

Added comments to ignore some because: "Python uses the Mersenne Twister as the core generator. However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes. Because the generator is deterministic this means attackers can predict future values given a sufficient amount of previous values. Normal random use is acceptable if the relevant code is not used for security or cryptographic purposes."
2021-04-21 19:11:13 +05:30 · 2021-04-21 19:11:13 +05:30 · a3fa4663cb
parent d8c1bf5cbe
commit a3fa4663cb
5 changed files with 10 additions and 8 deletions
--- a/monkey/infection_monkey/exploit/hadoop.py
+++ b/monkey/infection_monkey/exploit/hadoop.py
@ -7,8 +7,8 @@
 import json
 import logging
 import posixpath
-import random
 import string
+from random import SystemRandom

 import requests

@ -69,8 +69,9 @@ class HadoopExploiter(WebRCE):
        resp = json.loads(resp.content)
        app_id = resp["application-id"]
        # Create a random name for our application in YARN
+        safe_random = SystemRandom()
        rand_name = ID_STRING + "".join(
-            [random.choice(string.ascii_lowercase) for _ in range(self.RAN_STR_LEN)]
+            [safe_random.choice(string.ascii_lowercase) for _ in range(self.RAN_STR_LEN)]
        )
        payload = self.build_payload(app_id, rand_name, command)
        resp = requests.post(
--- a/monkey/infection_monkey/exploit/shellshock.py
+++ b/monkey/infection_monkey/exploit/shellshock.py
@ -3,7 +3,7 @@

 import logging
 import string
-from random import choice
+from random import SystemRandom

 import requests

@ -37,8 +37,9 @@ class ShellShockExploiter(HostExploiter):
    def __init__(self, host):
        super(ShellShockExploiter, self).__init__(host)
        self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
+        safe_random = SystemRandom()
        self.success_flag = "".join(
-            choice(string.ascii_uppercase + string.digits) for _ in range(20)
+            safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
        )
        self.skip_exist = self._config.skip_exploit_if_file_exist

--- a/monkey/infection_monkey/network/info.py
+++ b/monkey/infection_monkey/network/info.py
@ -1,7 +1,7 @@
 import itertools
 import socket
 import struct
-from random import randint
+from random import randint  # noqa: DUO102
 from subprocess import check_output

 import netifaces
--- a/monkey/infection_monkey/network/tcp_scanner.py
+++ b/monkey/infection_monkey/network/tcp_scanner.py
@ -1,5 +1,5 @@
 from itertools import zip_longest
-from random import shuffle
+from random import shuffle  # noqa: DUO102

 import infection_monkey.config
 from infection_monkey.network.HostFinger import HostFinger
--- a/monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py
+++ b/monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py
@ -52,8 +52,8 @@ class CommunicateAsNewUser(PBA):
    @staticmethod
    def get_random_new_user_name():
        return USERNAME_PREFIX + "".join(
-            random.choice(string.ascii_lowercase) for _ in range(5)
-        )  # noqa: DUO102
+            random.choice(string.ascii_lowercase) for _ in range(5)  # noqa: DUO102
+        )

    @staticmethod
    def get_commandline_for_http_request(url, is_windows=is_windows_os()):