{"title":"Insecure Randomness via random.choice for Session Token Generation","language":"Python","severity":"High","cwe":"CWE-338","source_lines":[10],"flow_lines":[10,11],"sink_lines":[11],"vulnerable_code":"import random\nimport string\nfrom flask import Flask, session, request\n\napp = Flask(__name__)\napp.secret_key = 'dev_key_12345'\n\n@app.route('/iot/device/pair', methods=['POST'])\ndef pair_iot_device():\n    device_id = request.json.get('device_id')\n    pairing_token = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))\n    session['iot_pairing_token'] = pairing_token\n    session['paired_device'] = device_id\n    return {'pairing_token': pairing_token, 'device_id': device_id, 'status': 'pending_confirmation'}","explanation":"The code uses Python's random.choice() from the random module to generate a pairing token for IoT device authentication. The random module uses a Mersenne Twister PRNG which is not cryptographically secure and predictable, making the 16-character token vulnerable to prediction attacks during the critical device pairing phase.","remediation":"The fix replaces the insecure random.choice() with Python's secrets module, which provides cryptographically secure random number generation suitable for security-sensitive token creation. Additionally, the hardcoded app.secret_key was replaced with a securely generated key using secrets.token_hex(32), and secrets.token_urlsafe(24) generates a 32-character URL-safe token with sufficient entropy to resist prediction attacks.","secure_code":"import secrets\nimport string\nfrom flask import Flask, session, request\n\napp = Flask(__name__)\napp.secret_key = secrets.token_hex(32)\n\n@app.route('/iot/device/pair', methods=['POST'])\ndef pair_iot_device():\n    device_id = request.json.get('device_id')\n    pairing_token = secrets.token_urlsafe(24)\n    session['iot_pairing_token'] = pairing_token\n    session['paired_device'] = device_id\n    return {'pairing_token': pairing_token, 'device_id': device_id, 'status': 'pending_confirmation'}"}