Skip to content

🔒 [security] Fix insecure randomness for Hardware ID#43

Merged
rnovatorov merged 1 commit intomainfrom
security-fix-hardware-id-randomness-9181080693173774899
Apr 1, 2026
Merged

🔒 [security] Fix insecure randomness for Hardware ID#43
rnovatorov merged 1 commit intomainfrom
security-fix-hardware-id-randomness-9181080693173774899

Conversation

@rnovatorov
Copy link
Copy Markdown
Member

@rnovatorov rnovatorov commented Apr 1, 2026

This PR fixes a security vulnerability where hardware IDs were generated using the insecure random module. The generation logic has been updated to use the secrets module, ensuring cryptographic security while preserving the existing ID format (a 'V' prefix followed by 32 uppercase hexadecimal characters).

Changes:

  • Removed import random and added import secrets in src/enapter/http/api/devices/client.py.
  • Updated random_hardware_id() to use secrets.token_hex(16).upper().
  • Verified the fix with a reproduction test script that validates the ID format and length.
  • Confirmed the changes pass project linting (black, isort, mypy).

PR created automatically by Jules for task 9181080693173774899 started by @rnovatorov

@google-labs-jules @rnovatorov
🔒 [security] Replace insecure random with secrets for hardware ID
bc24f81 
The hardware ID generation was using the insecure `random` module, which is not suitable for generating secure identifiers. This commit replaces it with the cryptographically secure `secrets` module while maintaining the exact output format (prefix "V" + 32 uppercase hexadecimal characters).

🎯 **What:** The vulnerability fixed is the use of insecure randomness (via `random.randbytes`) for generating hardware IDs.
⚠️ **Risk:** Hardware IDs generated with `random` might be predictable, potentially allowing an attacker to guess or collision identifiers if the random seed is compromised or predictable.
🛡️ **Solution:** Switched to `secrets.token_hex(16).upper()`, which uses the system's best available source of randomness and is recommended for security-sensitive contexts.

Co-authored-by: rnovatorov <20299819+rnovatorov@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules bot commented Apr 1, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@rnovatorov rnovatorov marked this pull request as ready for review April 1, 2026 11:34
@rnovatorov rnovatorov merged commit de5f7c7 into main Apr 1, 2026
7 checks passed
@rnovatorov rnovatorov deleted the security-fix-hardware-id-randomness-9181080693173774899 branch April 1, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rnovatorov