Simplify Configuration.random_token and remove insecure fallback (#2102)

The original implementation is 8 years old from commit 47f76712. I'm guessing it partially reimplemented Ruby's SecureRandom from that time to provide the fallback to using Kernel#rand in case the CSPRNG is unavailable. I'm removing it since I don't believe this is very common and I don't think it is Puma's job to fix a broken system.
2022-11-09 13:48:40 -05:00 · 2020-02-07 17:30:56 +01:00 · 2020-02-07 17:30:56 +01:00 · 0e29988b96
commit 0e29988b96
parent 7e691845dd
2 changed files with 3 additions and 22 deletions
--- a/History.md
+++ b/History.md
@ -12,6 +12,7 @@

 * Refactor
  * Remove unused loader argument from Plugin initializer (#2095)
+  * Simplify `Configuration.random_token` and remove insecure fallback (#2102)

 ## 4.3.1 and 3.12.2 / 2019-12-05

--- a/lib/puma/configuration.rb
+++ b/lib/puma/configuration.rb
@ -332,29 +332,9 @@ module Puma
    end

    def self.random_token
-      begin
-        require 'openssl'
-      rescue LoadError
-      end
+      require 'securerandom' unless defined?(SecureRandom)

-      count = 16
-
-      bytes = nil
-
-      if defined? OpenSSL::Random
-        bytes = OpenSSL::Random.random_bytes(count)
-      elsif File.exist?("/dev/urandom")
-        File.open('/dev/urandom') { |f| bytes = f.read(count) }
-      end
-
-      if bytes
-        token = "".dup
-        bytes.each_byte { |b| token << b.to_s(16) }
-      else
-        token = (0..count).to_a.map { rand(255).to_s(16) }.join
-      end
-
-      return token
+      SecureRandom.hex(16)
    end
  end
 end