We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
private static void WriteEncryptionHeader(Stream stream, long crcValue) { byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize]; var rnd = new Random(); rnd.NextBytes(cryptBuffer); cryptBuffer[11] = (byte)(crcValue >> 24); stream.Write(cryptBuffer, 0, cryptBuffer.Length); }
Replace all uses of System.Random() with a cryptographic version such as that provided by RNGCryptoServiceProvider.
SharpZipLib fails security scans.
1.3.0
The text was updated successfully, but these errors were encountered:
The referenced code is this:
SharpZipLib/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
Line 3727 in 716b913
But the same method is also used in:
SharpZipLib/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
Line 629 in 9e02750
Sorry, something went wrong.
There are possibly 3 uses of the insecure Random() found throughout the codebase.
Successfully merging a pull request may close this issue.
Steps to reproduce
Expected behavior
Replace all uses of System.Random() with a cryptographic version such as that provided by RNGCryptoServiceProvider.
Actual behavior
SharpZipLib fails security scans.
Version of SharpZipLib
1.3.0
Obtained from (only keep the relevant lines)
The text was updated successfully, but these errors were encountered: