Potential fix for code scanning alert no. 91: Insecure randomness

[mustafaneguib]

Potential fix for https://github.com/Data-Research-Analysis/data-research-analysis-platform/security/code-scanning/91

Use a cryptographically secure random source in the browser for the session suffix, e.g. globalThis.crypto.getRandomValues(...), and encode bytes to a short base36/hex-like string.
Best minimal fix: replace only the uploadSessionId generation line in frontend/pages/projects/[projectid]/data-sources/connect/excel.vue so functionality remains the same (string ID with timestamp + random suffix) while removing insecure randomness.

Implementation details:

• No new imports required.
• Add a small inline secure-random suffix generation expression using Uint32Array(1) and crypto.getRandomValues.
• Keep the existing upload_${Date.now()}_... format.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[mustafaneguib]

@copilot the code that you have added is as follows:

const secureRandomSuffix = globalThis.crypto.getRandomValues(new Uint32Array(1))[0].toString(36).padStart(7, '0').slice(0, 7);

where is globalThis declared?

[Copilot]

Pull request overview

Updates the Excel data-source connect flow to address code scanning alert #91 by replacing Math.random() with a cryptographically secure random source when generating the per-upload session identifier.

Changes:

• Replaced insecure randomness (Math.random()) with globalThis.crypto.getRandomValues(...) for the upload session ID suffix.
• Preserved the existing upload_${Date.now()}_${suffix} session ID format to avoid behavioral changes.

[Copilot]

@copilot the code that you have added is as follows:

const secureRandomSuffix = globalThis.crypto.getRandomValues(new Uint32Array(1))[0].toString(36).padStart(7, '0').slice(0, 7);
...

globalThis is a standard JavaScript built-in global object (introduced in ECMAScript 2020) — it does not require any import or declaration. It is automatically available in all modern JavaScript environments:

• In the browser: globalThis === window is true, so globalThis.crypto resolves to the Web Crypto API (window.crypto).
• In Node.js (18+): globalThis.crypto is also available natively.
• In Web Workers: globalThis works there too, unlike window.

Using globalThis.crypto instead of just crypto or window.crypto is the cross-environment safe idiom recommended for Nuxt3/SSR projects — it avoids a window is not defined error if the expression is ever evaluated in the Node.js SSR context. No import is needed.