Bug #14773
Updated by nobu (Nobuyoshi Nakada) over 6 years ago
I believe that the implementation of `SecureRandom.alphanumeric` SecureRandom.alphanumeric uses an underlying PRNG that is not the same as the one selected by the `SecureRandom` SecureRandom module. This is because the `alphanumeric` alphanumeric method uses the `:choose` :choose method (line 291 in 2.5.1) which in turn uses the `:random_number` :random_number method (line 254,261). The `:random_number` :random_number method is defined in the `Random::Formatter` Random::Formatter module in random.c (The function is `rand_random_number` rand_random_number (Line 1369 and associated on line 1647). At any rate, once it is in random.c, it ends up using the insecure PRNG built into random.c. I have a patch, but probably not one that is production quality. It it pretty simple--it overrides the `random_number` random_number provided in `Random::Formatter` Random::Formatter to use the `:bytes` :bytes method already defined. ~~~ ruby module SecureRandom def self.random_number max_range b = SecureRandom.bytes 1 n = b.ord/256.0*max_range n.to_i end end ~~~ At any rate, it may be a bad idea to extend `SecureRandom` SecureRandom with `Random::Formatter` Random::Formatter in general, since it allows paths to use of the insecure underlying PRNG in random.c.