-
-
Notifications
You must be signed in to change notification settings - Fork 3
Security Guide
Taiizor edited this page Dec 18, 2024
·
1 revision
UUID uses cryptographically secure random number generation to ensure unpredictability:
public class UUID
{
private static readonly ThreadLocal<RandomNumberGenerator> Rng =
new(() => RandomNumberGenerator.Create());
private static void GetRandomBytes(byte[] buffer)
{
Rng.Value?.GetBytes(buffer);
}
}All operations are thread-safe through:
- Immutable design
- Thread-local random number generation
- Lock-free operations
// DO: Use Base32 for URL-safe representation
string urlSafeId = uuid.ToBase32();
// DON'T: Use raw byte arrays in URLs
byte[] bytes = uuid.ToByteArray(); // Not URL-safe// DO: Use parameterized queries
using var cmd = new SqlCommand(
"SELECT * FROM Users WHERE Id = @Id",
connection);
cmd.Parameters.AddWithValue("@Id", uuid.ToString());
// DON'T: Use string concatenation
string query = $"SELECT * FROM Users WHERE Id = '{uuid}'"; // Vulnerable to SQL injection// DO: Validate UUIDs in API endpoints
[HttpGet("{id}")]
public IActionResult Get(string id)
{
if (!UUID.TryParse(id, out var uuid))
{
return BadRequest("Invalid UUID format");
}
// Process valid UUID
}UUIDs generated by this library are not predictable because:
- Cryptographic random number generation
- Time-based component adds entropy
- Thread-local generation prevents patterns
The library is resistant to timing attacks:
- Constant-time comparison operations
- No sensitive information in generation process
- No secret-dependent branches
// DO: Use appropriate string formats
public class UserDto
{
public string Id { get; set; } = uuid.ToString();
}
// DON'T: Expose internal byte representation
public class UserDto
{
public byte[] Id { get; set; } = uuid.ToByteArray();
}- Cryptographic random number generation
- Thread-safe operations
- Constant-time comparisons
- Immutable design
- No sensitive data exposure
- Validate all UUID inputs
- Use parameterized queries
- Implement proper access controls
- Log security events
- Regular security audits
If you discover a security vulnerability:
- DO NOT open a public issue
- Email taiizor@vegalya.com
- Include detailed information about the vulnerability
- Wait for confirmation before disclosure
- Subscribe to our security mailing list
- Monitor our Security Advisories
- Check Changelog for security-related updates
- Check our FAQ section
- Visit Debugging and Diagnostics
- Review Performance guidelines
- Join our Discord community
- Ask on Stack Overflow
- Report issues on GitHub