Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace Date().getTime() with System.currentTimeMillis() #15889

Closed
openrefactorymunawar opened this issue Oct 8, 2024 · 1 comment
Closed

Replace Date().getTime() with System.currentTimeMillis() #15889

openrefactorymunawar opened this issue Oct 8, 2024 · 1 comment
Assignees
@sjohnr
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement
Milestone
6.4.0-RC1

Comments

@openrefactorymunawar
Copy link
Contributor

Overview

In file: KeyBasedPersistenceTokenService.java, there is a method allocateToken that creates a Date object to get the current number of milliseconds. This is inefficient as the Date object is created only to get current milliseconds which can be done in a better way using System.currentTimeMillis().

There are also deprecation issues. Date().getTime() returns the number of milliseconds since January 1, 1970, 00:00:00 GMT. However, this method is deprecated and may not provide accurate results due to time zone issues.

On the other hand, System.currentTimeMillis() returns the current time in milliseconds since January 1, 1970, 00:00:00 GMT in UTC. This method is more reliable and recommended for use.

The fix replaces Date().getTime() with System.currentTimeMillis(), which ensures that the creation time is accurately recorded without any potential issues related to time zones or deprecated methods.

Affected Branches/Tags

Affected Versions

  • 6.3.3

CLA Requirements:

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.

The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 8, 2024
@openrefactorymunawar openrefactorymunawar mentioned this issue Oct 8, 2024
Merged
@sjohnr sjohnr self-assigned this Oct 10, 2024
@sjohnr sjohnr added status: duplicate A duplicate of another issue in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 10, 2024
@sjohnr sjohnr added this to the 6.4.0-RC1 milestone Oct 10, 2024
@sjohnr
Copy link
Member

sjohnr commented Oct 10, 2024

Closed via 6f909ef

@sjohnr sjohnr closed this as completed Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0-RC1
Development

No branches or pull requests
3 participants
@sjohnr @spring-projects-issues @openrefactorymunawar