From ea40a39a09c6e486e9a4949d67561d1b8a9d7c84 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 10 Oct 2025 19:55:47 +0200 Subject: [PATCH] [stable-10] random_string: replace random.SystemRandom() with secrets.SystemRandom() (#10896) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit random_string: replace random.SystemRandom() with secrets.SystemRandom() (#10893) * random_string: replace random.SystemRandom() with secrets.SystemRandom() * add the forgotten blank line * Update changelogs/fragments/replace-random-with-secrets.yml * readd the description * Update changelogs/fragments/replace-random-with-secrets.yml --------- (cherry picked from commit 14a858fd9c66b1630ca54394daa80a74e547269d) Signed-off-by: Thomas Sjögren Co-authored-by: Thomas Sjögren --- changelogs/fragments/replace-random-with-secrets.yml | 4 ++++ plugins/lookup/random_string.py | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/replace-random-with-secrets.yml diff --git a/changelogs/fragments/replace-random-with-secrets.yml b/changelogs/fragments/replace-random-with-secrets.yml new file mode 100644 index 0000000000..b82e59e7e9 --- /dev/null +++ b/changelogs/fragments/replace-random-with-secrets.yml @@ -0,0 +1,4 @@ +bugfixes: + - random_string lookup plugin - replace ``random.SystemRandom()`` with ``secrets.SystemRandom()`` when + generating strings. This has no practical effect, as both are the same + (https://github.com/ansible-collections/community.general/pull/10893). diff --git a/plugins/lookup/random_string.py b/plugins/lookup/random_string.py index bd72916d92..e1003efeda 100644 --- a/plugins/lookup/random_string.py +++ b/plugins/lookup/random_string.py @@ -16,7 +16,7 @@ short_description: Generates random string version_added: '3.2.0' description: - Generates random string based upon the given constraints. - - Uses L(random.SystemRandom,https://docs.python.org/3/library/random.html#random.SystemRandom), so should be strong enough + - Uses L(secrets.SystemRandom,https://docs.python.org/3/library/secrets.html#secrets.SystemRandom), so should be strong enough for cryptographic purposes. options: length: @@ -149,6 +149,7 @@ _raw: import base64 import random +import secrets import string from ansible.errors import AnsibleLookupError @@ -178,7 +179,7 @@ class LookupModule(LookupBase): lower_chars = string.ascii_lowercase upper_chars = string.ascii_uppercase special_chars = string.punctuation - random_generator = random.SystemRandom() + random_generator = secrets.SystemRandom() self.set_options(var_options=variables, direct=kwargs)