From b345d6a785ac93d87eb458ae419934ace6b85cfc Mon Sep 17 00:00:00 2001
From: Michael Rowley <michaellrowley@protonmail.com>
Date: Sat, 31 Jul 2021 19:46:39 +0100
Subject: [PATCH] Switched uniqid for random_bytes.

uniqid isn't cryptographically secure, it is a pseudorandom number generator meaning that its values can be deduced or easily guessed within a computationally reasonable amount of guesses, this branch removes its security-oriented implementations and uses random_bytes instead.

Note: When a CRNG is not required, uniqid and other functions similar to it (e.g mt_rand & rand) are fine to use as PRNGs which is why I've left it in use for the filename-generation system.
---
 app/Http/Controllers/Auth/RegisterController.php |  4 ++--
 database/factories/UserFactory.php               |  4 ++--
 database/seeders/UsersTableSeeder.php            | 12 ++++++------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php
index d403203811..aad67f5b9f 100644
--- a/app/Http/Controllers/Auth/RegisterController.php
+++ b/app/Http/Controllers/Auth/RegisterController.php
@@ -74,8 +74,8 @@ public function register(Request $request, $code = null)
         $user->username = $request->input('username');
         $user->email = $request->input('email');
         $user->password = Hash::make($request->input('password'));
-        $user->passkey = \md5(\uniqid('', true).\time().\microtime());
-        $user->rsskey = \md5(\uniqid('', true).\time().\microtime().$user->password);
+        $user->passkey = \md5(\random_bytes(60));
+        $user->rsskey = \md5(\random_bytes(60).$user->password);
         $user->uploaded = \config('other.default_upload');
         $user->downloaded = \config('other.default_download');
         $user->style = \config('other.default_style', 0);
diff --git a/database/factories/UserFactory.php b/database/factories/UserFactory.php
index 693942f4a0..ad2bfe7052 100644
--- a/database/factories/UserFactory.php
+++ b/database/factories/UserFactory.php
@@ -31,7 +31,7 @@ public function definition()
             'username'            => $this->faker->unique()->userName,
             'email'               => $this->faker->unique()->safeEmail,
             'password'            => \bcrypt('secret'),
-            'passkey'             => \md5(\uniqid('', true).\time().\microtime()),
+            'passkey'             => \md5(\random_bytes(60)),
             'group_id'            => fn () => Group::factory()->create()->id,
             'active'              => true,
             'uploaded'            => $this->faker->randomNumber(),
@@ -44,7 +44,7 @@ public function definition()
             'seedbonus'           => $this->faker->randomFloat(),
             'invites'             => $this->faker->randomNumber(),
             'hitandruns'          => $this->faker->randomNumber(),
-            'rsskey'              => \md5(\uniqid('', true).\time().\microtime()),
+            'rsskey'              => \md5(\random_bytes(60)),
             'chatroom_id'         => fn () => Chatroom::factory()->create()->id,
             'censor'              => $this->faker->boolean,
             'chat_hidden'         => $this->faker->boolean,
diff --git a/database/seeders/UsersTableSeeder.php b/database/seeders/UsersTableSeeder.php
index 76157597d7..14e849b876 100644
--- a/database/seeders/UsersTableSeeder.php
+++ b/database/seeders/UsersTableSeeder.php
@@ -46,8 +46,8 @@ private function getUsers()
                 'email'     => config('unit3d.default-owner-email'),
                 'group_id'  => 9,
                 'password'  => \Hash::make(config('unit3d.default-owner-password')),
-                'passkey'   => md5(uniqid().time().microtime()),
-                'rsskey'    => md5(uniqid().time()),
+                'passkey'   => md5(random_bytes(60)),
+                'rsskey'    => md5(random_bytes(60)),
                 'api_token' => Str::random(100),
                 'active'    => 1,
             ],
@@ -56,8 +56,8 @@ private function getUsers()
                 'email'     => config('unit3d.default-owner-email'),
                 'group_id'  => 9,
                 'password'  => \Hash::make(config('unit3d.default-owner-password')),
-                'passkey'   => md5(uniqid().time().microtime()),
-                'rsskey'    => md5(uniqid().time()),
+                'passkey'   => md5(random_bytes(60)),
+                'rsskey'    => md5(random_bytes(60)),
                 'api_token' => Str::random(100),
                 'active'    => 1,
             ],
@@ -66,8 +66,8 @@ private function getUsers()
                 'email'     => config('unit3d.default-owner-email'),
                 'group_id'  => 10,
                 'password'  => \Hash::make(config('unit3d.default-owner-password')),
-                'passkey'   => md5(uniqid().time().microtime()),
-                'rsskey'    => md5(uniqid().time()),
+                'passkey'   => md5(random_bytes(60)),
+                'rsskey'    => md5(random_bytes(60)),
                 'api_token' => Str::random(100),
                 'active'    => 1,
             ],