CSPRNG in restricted python

Allow python's cryptographically secure pseudorandom number generator for usage in restricted python and use it where it makes sense. This also change the API of `Person_generatePassword` which no longer allow to control the number of letters and numbers. /reviewed-on nexedi/erp5!847

CSPRNG in restricted python
Allow python's cryptographically secure pseudorandom number generator for usage in restricted python and use it where it makes sense. This also change the API of `Person_generatePassword` which no longer allow to control the number of letters and numbers. /reviewed-on nexedi/erp5!847
1764c526 · Jérome Perrin · 487dbafb · f25ef810 · 1764c526 · 1764c526
Commit 1764c526 authored Mar 18, 2019 by Jérome Perrin
6 changed files
--- a/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_init.py
+++ b/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_init.py
-alpha = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
-random_id = ''
-for _ in range(0, 128):
-  random_id += random.choice(alpha)
+import os
+import base64
+
+# This is python 3.6 secret.token_urlsafe
+random_id = base64.urlsafe_b64encode(os.urandom(48)).rstrip(b'=').decode('ascii')

 # Define Reference from ID provided by portal_ids
 portal = context.getPortalObject()

--- a/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Person_generatePassword.py
+++ b/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Person_generatePassword.py
-"""
-  This script generates a human readable random
-  password in the form 'word'+digits+'word'.
-  
-  from http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/410076
-
-  parameters: number of 'characters' , number of 'digits'
-  Pradeep Kishore Gowda <pradeep at btbytes.com >
-  License : GPL 
-  Date : 2005.April.15
-  Revision 1.2 
-  ChangeLog: 
-  1.1 - fixed typos 
-  1.2 - renamed functions _apart & _npart to a_part & n_part as zope does not allow functions to 
-  start with _
-"""
-
-import string, random
-vowels = ['a','e','i','o','u']
-consonants = [a for a in string.ascii_lowercase if a not in vowels]
-digits = string.digits
-
-def a_part(slen):
-    ret = ''
-    for i in range(slen):			
-        if i%2 ==0:
-            randid = random.randint(0,20) #number of consonants
-            ret += consonants[randid]
-        else:
-            randid = random.randint(0,4) #number of vowels
-            ret += vowels[randid]
-    return ret
-
-def n_part(slen):
-    ret = ''
-    for i in range(slen):
-        randid = random.randint(0,9) #number of digits
-        ret += digits[randid]
-    return ret
-
-fpl = alpha/2		
-if alpha % 2 :
-    fpl = int(alpha/2) + 1 					
-lpl = alpha - fpl	
-
-start = a_part(fpl)
-mid = n_part(numeric)
-end = a_part(lpl)
-newpass = "%s%s%s" % (start,mid,end)
-return newpass
+return ''.join(random.SystemRandom().sample(string.letters + string.digits, length))
--- a/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Person_generatePassword.xml
+++ b/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Person_generatePassword.xml
@@ -50,7 +50,7 @@
        </item>
        <item>
            <key> <string>_params</string> </key>
-            <value> <string>alpha=6, numeric=2</string> </value>
+            <value> <string>length=20</string> </value>
        </item>
        <item>
            <key> <string>id</string> </key>
@@ -58,7 +58,7 @@
        </item>
        <item>
            <key> <string>title</string> </key>
-            <value> <string>Generate human readable random password</string> </value>
+            <value> <string></string> </value>
        </item>
      </dictionary>
    </pickle>

--- a/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRequest_createUser.py
+++ b/bt5/erp5_credential/SkinTemplateItem/portal_skins/erp5_credential/CredentialRequest_createUser.py
@@ -52,7 +52,7 @@ if not login.hasPassword():
      credential_recovery.submit()
    else:
      # system should generate a password
-      password = context.Person_generatePassword(alpha=5, numeric=3)
+      password = context.Person_generatePassword()
      login.setPassword(password)

  # create a global account

--- a/product/ERP5Type/patches/Restricted.py
+++ b/product/ERP5Type/patches/Restricted.py
@@ -344,3 +344,7 @@ for member_id in dir(decimal):
  if isinstance(member, type) and issubclass(member, decimal.DecimalException):
    ContainerAssertions[member] = 1
 del member_id, member
+
+from random import SystemRandom
+allow_type(SystemRandom)
+ModuleSecurityInfo('os').declarePublic('urandom')
--- a/product/ERP5Type/tests/testRestrictedPythonSecurity.py
+++ b/product/ERP5Type/tests/testRestrictedPythonSecurity.py
@@ -25,8 +25,6 @@
 #
 ##############################################################################

-import unittest
-
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
 from Products.ERP5Type.tests.utils import createZODBPythonScript
 from Products.ERP5Type.tests.utils import removeZODBPythonScript
@@ -123,3 +121,19 @@ class TestRestrictedPythonSecurity(ERP5TypeTestCase):
        'return urlparse.parse_qsl("q=s")',
        expected=[('q', 's')]
    )
+
+  def testSystemRandom(self):
+    self.createAndRunScript('import random',
+                            'return random.SystemRandom().getrandbits(10)')
+
+  def test_os_urandom(self):
+    self.createAndRunScript('import os',
+                            'return os.urandom(10)')
+    # other "unsafe" os members are not exposed
+    self.assertRaises(Unauthorized,
+      self.createAndRunScript, 'import os',
+                               'return os.path.exists("/")')
+    self.assertRaises(Unauthorized,
+      self.createAndRunScript, 'import os',
+                               'return os.system')
+