From 0260041f92880f8da1cc6b9190dfe292898b7150 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 18:47:52 +0000 Subject: [PATCH 1/4] Use cryptographically secure RNG for Request ID In `action_devices.py`, replaced the insecure `import random` and `random.randint` with the cryptographically strong `import secrets` and `secrets.randbelow` when generating the Request ID for state reports. This ensures the predictability of request IDs is eliminated, preventing potential spoofing or replay vulnerabilities related to ID generation. Co-authored-by: DaTiC0 <13198638+DaTiC0@users.noreply.github.com> --- action_devices.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action_devices.py b/action_devices.py index f4a0d9b..ca9bf91 100644 --- a/action_devices.py +++ b/action_devices.py @@ -316,8 +316,8 @@ def report_state(): if not REPORTSTATE_AVAILABLE: logger.warning("ReportState module not available, skipping report_state") return "ReportState not available" - import random - n = random.randint(10**19, 10**20) + import secrets + n = 10**19 + secrets.randbelow(10**20 - 10**19 + 1) report_state_file = { 'requestId': str(n), 'agentUserId': current_app.config['AGENT_USER_ID'], From f06d82699df607db936ace154a227bb78191afcd Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 19:43:58 +0000 Subject: [PATCH 2/4] Use cryptographically secure RNG for Request ID In `action_devices.py`, replaced the insecure `import random` and `random.randint` with the cryptographically strong `import secrets` and `secrets.randbelow` when generating the Request ID for state reports. This ensures the predictability of request IDs is eliminated, preventing potential spoofing or replay vulnerabilities related to ID generation. Co-authored-by: DaTiC0 <13198638+DaTiC0@users.noreply.github.com> From ad773d084788abed24319924ce5d08391bf3aba5 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 19:49:40 +0000 Subject: [PATCH 3/4] Simplify mathematical expression for readability Update the random number generation logic based on PR feedback. Changed `10**20 - 10**19 + 1` to the simplified equivalent `9 * 10**19 + 1` to make the code easier to understand at a glance. Co-authored-by: DaTiC0 <13198638+DaTiC0@users.noreply.github.com> --- action_devices.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action_devices.py b/action_devices.py index ca9bf91..a8c7752 100644 --- a/action_devices.py +++ b/action_devices.py @@ -317,7 +317,7 @@ def report_state(): logger.warning("ReportState module not available, skipping report_state") return "ReportState not available" import secrets - n = 10**19 + secrets.randbelow(10**20 - 10**19 + 1) + n = 10**19 + secrets.randbelow(9 * 10**19 + 1) report_state_file = { 'requestId': str(n), 'agentUserId': current_app.config['AGENT_USER_ID'], From 49e5f6ed452566ee5c779465698a662f6ac5c7c5 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 19:52:11 +0000 Subject: [PATCH 4/4] Move import secrets to top of file Moved `import secrets` to the top of `action_devices.py` to comply with PEP 8 style guidelines, improving readability and making dependencies clear at a glance. Co-authored-by: DaTiC0 <13198638+DaTiC0@users.noreply.github.com> --- action_devices.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action_devices.py b/action_devices.py index a8c7752..4fbed36 100644 --- a/action_devices.py +++ b/action_devices.py @@ -4,6 +4,7 @@ import json import logging import requests +import secrets from flask import current_app from notifications import mqtt @@ -316,7 +317,7 @@ def report_state(): if not REPORTSTATE_AVAILABLE: logger.warning("ReportState module not available, skipping report_state") return "ReportState not available" - import secrets + n = 10**19 + secrets.randbelow(9 * 10**19 + 1) report_state_file = { 'requestId': str(n),