Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C039 - Fixing issues of Math.random() #9967

Closed
wants to merge 4 commits into from
Closed

C039 - Fixing issues of Math.random() #9967

wants to merge 4 commits into from

Conversation

MV88
Copy link
Contributor

@MV88 MV88 commented Feb 9, 2024
edited by tdipisa
Loading

Description

fixing some possible issues related to Math.Random in a dedicated branch C039-webmapper-28-10-2022

see here for more details https://kemilbeltre.medium.com/why-do-not-use-math-random-a6f8b0ad38dd
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues

Please check if the PR fulfills these requirements

What kind of change does this PR introduce? (check one with "x", remove the others)

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other... Please describe:

Issue

What is the current behavior?

#

What is the new behavior?

Breaking change

Does this PR introduce a breaking change? (check one with "x", remove the other)

  • Yes, and I documented them in migration notes
  • No

Other useful information

@MV88 MV88 requested a review from tdipisa February 9, 2024 11:57
@MV88 MV88 self-assigned this Feb 9, 2024
@MV88 MV88 changed the title Fixing vulnerabilites of Math.random() C039 - Fixing vulnerabilites of Math.random() Feb 9, 2024
@MV88 MV88 changed the base branch from webmapper-28-10-2022 to C039-webmapper-28-10-2022 February 9, 2024 11:59
@MV88 MV88 closed this Feb 9, 2024
@MV88 MV88 reopened this Feb 9, 2024
@offtherailz
Copy link
Member

offtherailz commented Feb 9, 2024
edited
Loading

Sorry, but the usage here is not cryptographic, so using strong Math.random() looks lecit to me. Did I missed something? also the article you quote says:

You can use Math.random() when the expected value does not compromise the app.

and

Use strong generation methods as Crypto.getRandomValues() when required.

That I can understand as "not always"

@MV88
Copy link
Contributor Author

MV88 commented Feb 9, 2024
edited by tdipisa
Loading

Sorry, but the usage here is not cryptographic, so using strong Math.random() looks lecit to me. Did I missed something? also the article you quote says:

You can use Math.random() when the expected value does not compromise the app.

i would agree with you that if Math.random is used in non critical parts is fine to use, altough one of our client has in place a fortify scansion which spotted this as high issue. the thing is that they already marked them as reliable issues so i decided to solve them by using another method.

image

Now we could check maybe ignore them, or
we can add a rule in our eslint to avoid Math.random method or
we can fix it in another way

for the future we may decide for that client to mark these issues as not issues

Use strong generation methods as Crypto.getRandomValues() when required.

That I can understand as "not always"

idk what you mean here tbh

@MV88 MV88 changed the title C039 - Fixing vulnerabilites of Math.random() C039 - Fixing issues of Math.random() Feb 9, 2024
@tdipisa tdipisa closed this Feb 9, 2024
@MV88 MV88 deleted the webmapper_3160_updates_fortify branch February 9, 2024 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdipisa tdipisa Awaiting requested review from tdipisa

Assignees

@MV88 MV88

Labels
C039-2024-HALLIBURTON-SUPPORT
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MV88 @offtherailz @tdipisa