refactor: switch to use SecureRandom for random strings

2025-11-30 21:32:30 +00:00 · 2024-03-04 17:33:25 +00:00
--- a/app/lib/smtp_server/client.rb
+++ b/app/lib/smtp_server/client.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true

-require "nifty/utils/random_string"
-
 module SMTPServer
  class Client

--- a/app/models/concerns/has_authentication.rb
+++ b/app/models/concerns/has_authentication.rb
@@ -30,7 +30,7 @@ module HasAuthentication
  end

  def begin_password_reset(return_to = nil)
-    self.password_reset_token = Nifty::Utils::RandomString.generate(length: 24)
+    self.password_reset_token = SecureRandom.alphanumeric(24)
    self.password_reset_token_valid_until = 1.day.from_now
    save!
    AppMailer.password_reset(self, return_to).deliver
--- a/app/models/domain.rb
+++ b/app/models/domain.rb
@@ -164,7 +164,7 @@ class Domain < ApplicationRecord
    return unless verification_method_changed?

    if verification_method == "DNS"
-      self.verification_token = Nifty::Utils::RandomString.generate(length: 32)
+      self.verification_token = SecureRandom.alphanumeric(32)
    elsif verification_method == "Email"
      self.verification_token = rand(999_999).to_s.ljust(6, "0")
    else
--- a/app/senders/http_sender.rb
+++ b/app/senders/http_sender.rb
@@ -6,7 +6,7 @@ class HTTPSender < BaseSender
    super()
    @endpoint = endpoint
    @options = options
-    @log_id = Nifty::Utils::RandomString.generate(length: 8).upcase
+    @log_id = SecureRandom.alphanumeric(8).upcase
  end

  def send_message(message)
--- a/lib/postal/message_db/database.rb
+++ b/lib/postal/message_db/database.rb
@@ -327,7 +327,7 @@ module Postal
        time = Time.now.to_f - start_time
        logger.debug "  \e[4;34mMessageDB Query (#{time.round(2)}s) \e[0m  \e[33m#{query}\e[0m"
        if time > 0.05 && query =~ /\A(SELECT|UPDATE|DELETE) /
-          id = Nifty::Utils::RandomString.generate(length: 6).upcase
+          id = SecureRandom.alphanumeric(8)
          explain_result = ResultForExplainPrinter.new(connection.query("EXPLAIN #{query}"))
          logger.info "  [#{id}] EXPLAIN #{query}"
          ActiveRecord::ConnectionAdapters::MySQL::ExplainPrettyPrinter.new.pp(explain_result, time).split("\n").each do |line|
--- a/lib/postal/message_db/message.rb
+++ b/lib/postal/message_db/message.rb
@@ -488,7 +488,7 @@ module Postal
      #
      def create_link(url)
        hash = Digest::SHA1.hexdigest(url.to_s)
-        token = Nifty::Utils::RandomString.generate(length: 8)
+        token = SecureRandom.alphanumeric(16)
        database.insert(:links, { message_id: id, hash: hash, url: url, timestamp: Time.now.to_f, token: token })
        token
      end
@@ -585,7 +585,7 @@ module Postal
      def _create(queue: true)
        self.timestamp = Time.now.to_f if timestamp.blank?
        self.status = "Pending" if status.blank?
-        self.token = Nifty::Utils::RandomString.generate(length: 12) if token.blank?
+        self.token = SecureRandom.alphanumeric(16) if token.blank?
        last_id = @database.insert("messages", @attributes.except(:id))
        @attributes["id"] = last_id
        @database.statistics.increment_all(timestamp, scope)