[11.x] Use secure randomness in Arr::random() and Arr::shuffle() (#49642)

* Use Randomizer::pickArrayKeys() within Arr::random()

* Use Randomizer::shuffleArray() in Arr::shuffle()

* Remove unused $seed from shuffle

* Fix failing shuffle tests

Author: valorin

src/Illuminate/Collections/Arr.php

@@ -6,6 +6,7 @@
 use ArrayAccess;
 use Illuminate\Support\Traits\Macroable;
 use InvalidArgumentException;
+use Random\Randomizer;
 
 class Arr
 {
@@ -661,24 +662,24 @@ public static function random($array, $number = null, $preserveKeys = false)
             );
         }
 
-        if (is_null($number)) {
-            return $array[array_rand($array)];
+        if (empty($array) || (! is_null($number) && $number <= 0)) {
+            return is_null($number) ? null : [];
         }
 
-        if ((int) $number === 0) {
-            return [];
-        }
+        $keys = (new Randomizer)->pickArrayKeys($array, $requested);
 
-        $keys = array_rand($array, $number);
+        if (is_null($number)) {
+            return $array[$keys[0]];
+        }
 
         $results = [];
 
         if ($preserveKeys) {
-            foreach ((array) $keys as $key) {
+            foreach ($keys as $key) {
                 $results[$key] = $array[$key];
             }
         } else {
-            foreach ((array) $keys as $key) {
+            foreach ($keys as $key) {
                 $results[] = $array[$key];
             }
         }
@@ -730,20 +731,11 @@ public static function set(&$array, $key, $value)
      * Shuffle the given array and return the result.
      *
      * @param  array  $array
-     * @param  int|null  $seed
      * @return array
      */
-    public static function shuffle($array, $seed = null)
+    public static function shuffle($array)
     {
-        if (is_null($seed)) {
-            shuffle($array);
-        } else {
-            mt_srand($seed);
-            shuffle($array);
-            mt_srand();
-        }
-
-        return $array;
+        return (new Randomizer)->shuffleArray($array);
     }
 
     /**

src/Illuminate/Collections/Collection.php

@@ -1125,12 +1125,11 @@ public function shift($count = 1)
     /**
      * Shuffle the items in the collection.
      *
-     * @param  int|null  $seed
      * @return static
      */
-    public function shuffle($seed = null)
+    public function shuffle()
     {
-        return new static(Arr::shuffle($this->items, $seed));
+        return new static(Arr::shuffle($this->items));
     }
 
     /**

src/Illuminate/Collections/Enumerable.php

@@ -889,10 +889,9 @@ public function search($value, $strict = false);
     /**
      * Shuffle the items in the collection.
      *
-     * @param  int|null  $seed
      * @return static
      */
-    public function shuffle($seed = null);
+    public function shuffle();
 
     /**
      * Create chunks representing a "sliding window" view of the items in the collection.

src/Illuminate/Collections/LazyCollection.php

@@ -1058,12 +1058,11 @@ public function search($value, $strict = false)
     /**
      * Shuffle the items in the collection.
      *
-     * @param  int|null  $seed
      * @return static
      */
-    public function shuffle($seed = null)
+    public function shuffle()
     {
-        return $this->passthru('shuffle', func_get_args());
+        return $this->passthru('shuffle', []);
     }
 
     /**

tests/Support/SupportArrTest.php

@@ -907,14 +907,30 @@ public function testSet()
         $this->assertEquals([1 => 'hAz'], Arr::set($array, 1, 'hAz'));
     }
 
-    public function testShuffleWithSeed()
+    public function testShuffle()
     {
-        $this->assertEquals(
-            Arr::shuffle(range(0, 100, 10), 1234),
-            Arr::shuffle(range(0, 100, 10), 1234)
+        $input = ['a', 'b', 'c', 'd', 'e', 'f'];
+
+        $this->assertNotEquals(
+            $input,
+            Arr::shuffle($input)
+        );
+
+        $this->assertNotEquals(
+            Arr::shuffle($input),
+            Arr::shuffle($input)
         );
     }
 
+    public function testShuffleKeepsSameValues()
+    {
+        $input = ['a', 'b', 'c', 'd', 'e', 'f'];
+        $shuffled = Arr::shuffle($input);
+        sort($shuffled);
+
+        $this->assertEquals($input, $shuffled);
+    }
+
     public function testEmptyShuffle()
     {
         $this->assertEquals([], Arr::shuffle([]));

tests/Support/SupportCollectionTest.php

@@ -442,17 +442,6 @@ public function testCollectionIsConstructed($collection)
         $this->assertEmpty($data->all());
     }
 
-    #[DataProvider('collectionClassProvider')]
-    public function testCollectionShuffleWithSeed($collection)
-    {
-        $data = new $collection(range(0, 100, 10));
-
-        $firstRandom = $data->shuffle(1234);
-        $secondRandom = $data->shuffle(1234);
-
-        $this->assertEquals($firstRandom, $secondRandom);
-    }
-
     #[DataProvider('collectionClassProvider')]
     public function testSkipMethod($collection)
     {