UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2024-11-24 04:53:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(frontend): Insecure randomness

Browse Source
This commit is contained in:
yassinedorbozgithub 2024-09-30 06:33:00 +01:00
parent 00fa4316be
commit 1183473aaf
3 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
frontend/src/layout/Header.tsx
View File

@ -26,6 +26,7 @@ import { getAvatarSrc } from "@/components/inbox/helpers/mapMessages";
import { useAuth } from "@/hooks/useAuth";
import { useConfig } from "@/hooks/useConfig";
import { EntityType } from "@/services/types";
import { getRadom } from "@/utils/safeRandom";
import { borderLine, theme } from "./themes/theme";
@ -84,7 +85,7 @@ export const Header: FC<HeaderProps> = ({ isSideBarOpen, onToggleSidebar }) => {
const [randomSeed, setRandomSeed] = useState<string>("randomseed");
useEffect(() => {
setRandomSeed(Math.random().toString());
setRandomSeed(getRadom().toString());
}, [user]);
return (

4
frontend/src/utils/generateId.ts
View File

@ -6,12 +6,14 @@
* 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file).
*/
import { getRadom } from "./safeRandom";
export const generateId = () => {
const d =
typeof performance === "undefined" ? Date.now() : performance.now() * 1000;
return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
const r = (Math.random() * 16 + d) % 16 | 0;
const r = (getRadom() * 16 + d) % 16 | 0;
return (c == "x" ? r : (r & 0x3) | 0x8).toString(16);
});

15
frontend/src/utils/safeRandom.ts Normal file
View File

@ -0,0 +1,15 @@
/*
* Copyright © 2024 Hexastack. All rights reserved.
*
* Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
* 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
* 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file).
*/
/**
* Return a cryptographically secure random value between 0 and 1 is desired
*
* @returns A cryptographically secure random value between 0 and 1 is desired
*/
export const getRadom = (): number =>
window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2, -32);