From 31442675bdc703c208c748e82b634d9f334f7d98 Mon Sep 17 00:00:00 2001
From: chgg-kboberg <56612207+chgg-kboberg@users.noreply.github.com>
Date: Wed, 10 Nov 2021 08:24:36 -0800
Subject: [PATCH 1/2] fix: CSPRNG

A clever user with access to enough voucher codes can recover the initial state of a long-running Java process, allowing them to forge codes.  Seed recovery of Knuth's PRNG is a practical attack: https://hal.archives-ouvertes.fr/hal-02700791/document
---
 src/main/java/io/voucherify/generator/VoucherCodes.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/io/voucherify/generator/VoucherCodes.java b/src/main/java/io/voucherify/generator/VoucherCodes.java
index 5b79439..c8f9637 100644
--- a/src/main/java/io/voucherify/generator/VoucherCodes.java
+++ b/src/main/java/io/voucherify/generator/VoucherCodes.java
@@ -1,10 +1,10 @@
 package io.voucherify.generator;
 
-import java.util.Random;
+import java.security.SecureRandom;
 
 public final class VoucherCodes {
 
-    private static final Random RND = new Random(System.currentTimeMillis());
+    private static final SecureRandom RND = new SecureRandom(System.currentTimeMillis());
        
     /**
      * Generates a random code according to given config. 

From 8fc9d24da3ce20044eb77d4270fb770d5c7ae6c4 Mon Sep 17 00:00:00 2001
From: chgg-kboberg <56612207+chgg-kboberg@users.noreply.github.com>
Date: Thu, 11 Nov 2021 08:16:19 -0800
Subject: [PATCH 2/2] Fix SecureRandom constructor

---
 src/main/java/io/voucherify/generator/VoucherCodes.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/io/voucherify/generator/VoucherCodes.java b/src/main/java/io/voucherify/generator/VoucherCodes.java
index c8f9637..bf78e92 100644
--- a/src/main/java/io/voucherify/generator/VoucherCodes.java
+++ b/src/main/java/io/voucherify/generator/VoucherCodes.java
@@ -4,7 +4,9 @@
 
 public final class VoucherCodes {
 
-    private static final SecureRandom RND = new SecureRandom(System.currentTimeMillis());
+    private static final SecureRandom RND = new SecureRandom();
+    //preserve previous seed behavior (though not necessary, see https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html#SecureRandom--)
+    RND.setSeed(System.currentTimeMillis());
        
     /**
      * Generates a random code according to given config.