From 1183473aaf6ebdc78dc8b8a4087e6a3dc8437dca Mon Sep 17 00:00:00 2001 From: yassinedorbozgithub Date: Mon, 30 Sep 2024 06:33:00 +0100 Subject: [PATCH] fix(frontend): Insecure randomness --- frontend/src/layout/Header.tsx | 3 ++- frontend/src/utils/generateId.ts | 4 +++- frontend/src/utils/safeRandom.ts | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 frontend/src/utils/safeRandom.ts diff --git a/frontend/src/layout/Header.tsx b/frontend/src/layout/Header.tsx index 49a912a..81ed200 100644 --- a/frontend/src/layout/Header.tsx +++ b/frontend/src/layout/Header.tsx @@ -26,6 +26,7 @@ import { getAvatarSrc } from "@/components/inbox/helpers/mapMessages"; import { useAuth } from "@/hooks/useAuth"; import { useConfig } from "@/hooks/useConfig"; import { EntityType } from "@/services/types"; +import { getRadom } from "@/utils/safeRandom"; import { borderLine, theme } from "./themes/theme"; @@ -84,7 +85,7 @@ export const Header: FC = ({ isSideBarOpen, onToggleSidebar }) => { const [randomSeed, setRandomSeed] = useState("randomseed"); useEffect(() => { - setRandomSeed(Math.random().toString()); + setRandomSeed(getRadom().toString()); }, [user]); return ( diff --git a/frontend/src/utils/generateId.ts b/frontend/src/utils/generateId.ts index fb857e9..2dbac09 100644 --- a/frontend/src/utils/generateId.ts +++ b/frontend/src/utils/generateId.ts @@ -6,12 +6,14 @@ * 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file). */ +import { getRadom } from "./safeRandom"; + export const generateId = () => { const d = typeof performance === "undefined" ? Date.now() : performance.now() * 1000; return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => { - const r = (Math.random() * 16 + d) % 16 | 0; + const r = (getRadom() * 16 + d) % 16 | 0; return (c == "x" ? r : (r & 0x3) | 0x8).toString(16); }); diff --git a/frontend/src/utils/safeRandom.ts b/frontend/src/utils/safeRandom.ts new file mode 100644 index 0000000..539677b --- /dev/null +++ b/frontend/src/utils/safeRandom.ts @@ -0,0 +1,15 @@ +/* + * Copyright © 2024 Hexastack. All rights reserved. + * + * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms: + * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission. + * 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file). + */ + +/** + * Return a cryptographically secure random value between 0 and 1 is desired + * + * @returns A cryptographically secure random value between 0 and 1 is desired + */ +export const getRadom = (): number => + window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2, -32);