Potential fix for code scanning alert no. 91: Insecure randomness#373
Potential fix for code scanning alert no. 91: Insecure randomness#373mustafaneguib merged 1 commit intomainfrom
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
@copilot the code that you have added is as follows: const secureRandomSuffix = globalThis.crypto.getRandomValues(new Uint32Array(1))[0].toString(36).padStart(7, '0').slice(0, 7); where is globalThis declared? |
There was a problem hiding this comment.
Pull request overview
Updates the Excel data-source connect flow to address code scanning alert #91 by replacing Math.random() with a cryptographically secure random source when generating the per-upload session identifier.
Changes:
- Replaced insecure randomness (
Math.random()) withglobalThis.crypto.getRandomValues(...)for the upload session ID suffix. - Preserved the existing
upload_${Date.now()}_${suffix}session ID format to avoid behavioral changes.
Using |
Potential fix for https://github.com/Data-Research-Analysis/data-research-analysis-platform/security/code-scanning/91
Use a cryptographically secure random source in the browser for the session suffix, e.g.
globalThis.crypto.getRandomValues(...), and encode bytes to a short base36/hex-like string.Best minimal fix: replace only the
uploadSessionIdgeneration line infrontend/pages/projects/[projectid]/data-sources/connect/excel.vueso functionality remains the same (string ID with timestamp + random suffix) while removing insecure randomness.Implementation details:
Uint32Array(1)andcrypto.getRandomValues.upload_${Date.now()}_...format.Suggested fixes powered by Copilot Autofix. Review carefully before merging.