"Mutant Rob" Robert Rothenberg

I've uploaded a new #Perl Critic policy that checks code for naive random data generation from a hash over not-so-randonm sources like rand(), system time, pid such as

md5_hex( rand . time . $$ . ++$counter )

This anti-pattern is used in many places, and has been the reason for several CVEs.

https://metacpan.org/release/RRWO/Perl-Critic-Policy-Security-RandBytesFromHash-v0.1.0

#CPAN #security

As a scholarly aside, I am curious as to who first came up this anti-pattern.

Client Challenge

Apr 10 at 11:32amWeb
Show threadDemiguiseApr 10

@rrwo Tried to install it, but:

```
cpan[2]> install Perl::Critic::Policy::Security::RandBytesFromHash
Warning: Cannot install Perl::Critic::Policy::Security::RandBytesFromHash, don't know what it is.
Try the command

i /Perl::Critic::Policy::Security::RandBytesFromHash/

to find objects with matching identifiers.
```

I assume it may take some time until it is downloadable - thank you anyways for providing it!

Show threadOriel Jutty Apr 10
@demiguise @rrwo Works now.
Show threadOriel Jutty Apr 10
@rrwo Might be a candidate for inclusion in Perl::Critic::Community.