Skip to content

LIMS-1612: Replace uniqid with openssl random pseudo bytes#903

Merged
ndg63276 merged 7 commits intopre-release/2025-R2.4from
fix/LIMS-1612/Replace-uniqid-with-openssl_random_pseudo_bytes
Apr 22, 2025
Merged

LIMS-1612: Replace uniqid with openssl random pseudo bytes#903
ndg63276 merged 7 commits intopre-release/2025-R2.4from
fix/LIMS-1612/Replace-uniqid-with-openssl_random_pseudo_bytes

Conversation

@RichB-DLS
Copy link
Collaborator

@RichB-DLS RichB-DLS commented Feb 7, 2025

JIRA ticket: LIMS-1612

Summary:
Removal of all usage of php's uniqId as its is known to be cryptographically insecure. Replaced with openssl_pseudo_random_bytes instead.
All uses of uniqId were being passed into md5() so added a common utility fn for that purpose.

Changes:

  • Added a static utility fn in api/src/Utils.php with a corresponding basic test for params.
  • Replaced all uses of uniqId with the new fn

To test:

  • Go to a dataCollection and attempt to download the processing log. Check the the url query contains the token param.

@RichB-DLS RichB-DLS added improvement php Pull requests that update PHP code labels Feb 7, 2025
@RichB-DLS RichB-DLS requested a review from ndg63276 February 7, 2025 15:25
@RichB-DLS RichB-DLS self-assigned this Feb 7, 2025
@gfrn gfrn changed the title Fix/lims 1612/replace uniqid with openssl random pseudo bytes LIMS-1612: Replace uniqid with openssl random pseudo bytes Feb 7, 2025
@ndg63276
Copy link
Collaborator

ndg63276 commented Feb 11, 2025

Sorry to be a pain, but now that #852 has been merged into master, there is another place we should use the new utility function. Can you merge master into this and then check Shipping.php line 3156 (ish)?

@ndg63276 @RichB-DLS
Merge pre-release/2025-R1.2 into master (#904)
f83cec1 
* LIMS-1590: Dont allow name editing for lab contacts when login is set (#887)

* LIMS-1558: Add functionality for SMILES code for any sample (#880)

* LIMS-1490: Use callback URL for incoming dewars via shipping service (#852)

* LIMS-1570: Remove unused app file (#874)

* LIMS-1537: Add more options to reprocessing (#876)

* LIMS-1466: Disable dispatch form validation when using the shipping service (#891)
@RichB-DLS
Copy link
Collaborator Author

RichB-DLS commented Feb 11, 2025

No problem. Will have a look now.

ndg63276
ndg63276 approved these changes Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@ndg63276 ndg63276 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@ndg63276 ndg63276 changed the base branch from master to pre-release/2025-R2.4 April 22, 2025 09:10
@ndg63276 ndg63276 merged commit 7e5659c into pre-release/2025-R2.4 Apr 22, 2025
2 checks passed
@ndg63276 ndg63276 deleted the fix/LIMS-1612/Replace-uniqid-with-openssl_random_pseudo_bytes branch April 22, 2025 09:13
ndg63276 added a commit that referenced this pull request May 6, 2025
@ndg63276
Merge pre-release/2025-R2.4 into master (#933)
34039a2 
* LIMS-1665: Don't allow multiple groups with the same name (#919)

* LIMS-1663: Per-page dropdown on multicrystal processing page doesnt work (#917)

* LIMS-1637: Show more info for grid scan groups (#918)

* LIMS-1366: Allow staff direct access to registered dewar page (#893, #897)

* LIMS-1612: Replace uniqid with openssl random pseudo bytes (#903)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndg63276 ndg63276 ndg63276 approved these changes

Assignees

@RichB-DLS RichB-DLS

Labels

improvement php Pull requests that update PHP code Ready to Release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RichB-DLS @ndg63276 @gfrn