Course

The Code Review Patch challenges are designed to enhance your code review skills by providing you with both the vulnerable code and the corresponding patch. The idea is to first attempt to find the security issue in the given code without looking at the patch. This exercise simulates a real-world scenario where you often have to identify issues without any hints. If you're unable to pinpoint the problem or want to verify your findings, you can then refer to the patch, which highlights the changes made to fix the vulnerability.

One such example is the `TokenHelper.java` from the Apache Struts2 project. The original code used a standard `Random` class to generate tokens, which is not cryptographically secure. The patch replaces this with `SecureRandom`, a more secure alternative, to prevent predictability in token generation. This exercise illustrates the importance of using appropriate libraries and methods for security-critical operations.