get random in UUID more cryptography secure

[LamentXU123]

random.getrandbits() is used widely in lib uuid espectially in generating clock_seqs in UUID v1 and v6

if 624*32//14+1 UUIDs are leaked to hackers, they could predict the next UUID generated.

reference: https://github.com/LamentXU123/cve/blob/main/UUID.md

to make it more cryptography secure, secrets.randbits() should be used instead of random.getrandbits()

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[ZeroIntensity]

uuid1() already has security warnings, and the rest that were changed here are documented as pseudo-random. I don't think we need to change anything here, apart from maybe adding some extra documentation notes.

[LamentXU123]

You're right. But I think changing them to a more secure way has no disadvantage. Why not make it more unpredictable with no side effects?

[ZeroIntensity]

Well, there are clearly side-effects. The UUID tests are totally broken by this change.

[LamentXU123]

Well it seems like its broken because the test script uses random.getrandbits()

for example:

    def test_uuid1_time(self):
        with mock.patch.object(self.uuid, '_generate_time_safe', None), \
             mock.patch.object(self.uuid, '_last_timestamp', None), \
             mock.patch.object(self.uuid, 'getnode', return_value=93328246233727), \
             mock.patch('time.time_ns', return_value=1545052026752910643), \
             mock.patch('random.getrandbits', return_value=5317): # guaranteed to be random
            u = self.uuid.uuid1()
            self.assertEqual(u, self.uuid.UUID('a7a55b92-01fc-11e9-94c5-54e1acf6da7f'))

this will triger a assertion error because random.getrandbits() was changed to secrets.randbits() so teh script could not control the random number by patching ;)

I'll take a closer look soon

[LamentXU123]

Well it seems like its broken because the test script uses random.getrandbits()

for example:

    def test_uuid1_time(self):
        with mock.patch.object(self.uuid, '_generate_time_safe', None), \
             mock.patch.object(self.uuid, '_last_timestamp', None), \
             mock.patch.object(self.uuid, 'getnode', return_value=93328246233727), \
             mock.patch('time.time_ns', return_value=1545052026752910643), \
             mock.patch('random.getrandbits', return_value=5317): # guaranteed to be random
            u = self.uuid.uuid1()
            self.assertEqual(u, self.uuid.UUID('a7a55b92-01fc-11e9-94c5-54e1acf6da7f'))

this will triger a assertion error because random.getrandbits() was changed to secrets.randbits() so the script could not control the random number by patching ;)

I'll take a closer look soon

[LamentXU123]

Maybe I could add a parameter to uuid1() and uuid6() which is False by default, and if its true, using secret.randbits() instead of random.getrandbits() ?