fix(api): Insecure randomness

2024-11-24 04:53:41 +00:00 · 2024-09-30 06:32:43 +01:00 · 2024-09-30 06:32:43 +01:00 · 00fa4316be
commit 00fa4316be
parent b735d5ebd1
3 changed files with 19 additions and 2 deletions
--- a/api/src/chat/services/block.service.ts
+++ b/api/src/chat/services/block.service.ts
@ -21,6 +21,7 @@ import { PluginType } from '@/plugins/types';
 import { Settings } from '@/setting/schemas/types';
 import { SettingService } from '@/setting/services/setting.service';
 import { BaseService } from '@/utils/generics/base-service';
+import { getRadom } from '@/utils/helpers/safeRandom';

 import { BlockRepository } from '../repositories/block.repository';
 import { Block, BlockFull, BlockPopulate } from '../schemas/block.schema';
@ -394,7 +395,7 @@ export class BlockService extends BaseService<Block, BlockPopulate, BlockFull> {
   */
  getRandom<T>(array: T[]): T {
    return Array.isArray(array)
-      ? array[Math.floor(Math.random() * array.length)]
+      ? array[Math.floor(getRadom() * array.length)]
      : array;
  }

--- a/api/src/user/controllers/auth.controller.spec.ts
+++ b/api/src/user/controllers/auth.controller.spec.ts
@ -27,6 +27,7 @@ import { LanguageModel } from '@/i18n/schemas/language.schema';
 import { I18nService } from '@/i18n/services/i18n.service';
 import { LanguageService } from '@/i18n/services/language.service';
 import { LoggerService } from '@/logger/logger.service';
+import { getRadom } from '@/utils/helpers/safeRandom';
 import { installUserFixtures } from '@/utils/test/fixtures/user';
 import {
  closeInMongodConnection,
@ -126,7 +127,7 @@ describe('AuthController', () => {
    role = await roleService.findOne({});
    baseUser = {
      email: 'test@testing.com',
-      password: Math.random().toString(),
+      password: getRadom().toString(),
      username: 'test',
      first_name: 'test',
      last_name: 'test',
--- a/api/src/utils/helpers/safeRandom.ts
+++ b/api/src/utils/helpers/safeRandom.ts
@ -0,0 +1,15 @@
+/*
+ * Copyright © 2024 Hexastack. All rights reserved.
+ *
+ * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
+ * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
+ * 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file).
+ */
+
+/**
+ * Return a cryptographically secure random value between 0 and 1 is desired
+ *
+ * @returns A cryptographically secure random value between 0 and 1 is desired
+ */
+export const getRadom = (): number =>
+  window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2, -32);