Skip to content

UBERF-9747 #8867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

UBERF-9747 #8867

wants to merge 1 commit into from

Conversation

haiodo
Copy link
Member

@haiodo haiodo commented May 7, 2025

No description provided.

@huly-github-staging Huly GitHub Staging
Copy link

Connected to Huly®: UBERF-10522

github-advanced-security[bot]
github-advanced-security bot found potential problems May 21, 2025
View reviewed changes
plugins/workbench-resources/src/connect.ts
Comment on lines +303 to +311
const employee = await ensureEmployee(
ctx,
accountRef,
newClient,
workspaceLoginInfo.workspace,
Array.from(accountRef.fullSocialIds.values()),
getGlobalPerson
)

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.
This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix

AI 14 days ago

To fix the issue, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, the crypto module provides a secure method for generating random values. Specifically, we can use crypto.randomBytes to generate random bytes and convert them to a hexadecimal string.

The changes will involve:

  1. Replacing the Math.random() calls in packages/core/src/utils.ts with a secure random value generated using crypto.randomBytes.
  2. Updating the random variable in generateId to use the secure random value.
Suggested changeset 1
packages/core/src/utils.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/core/src/utils.ts b/packages/core/src/utils.ts
--- a/packages/core/src/utils.ts
+++ b/packages/core/src/utils.ts
@@ -63,4 +63,6 @@
 
-let counter = (Math.random() * (1 << 24)) | 0
-const random = toHex((Math.random() * (1 << 24)) | 0, 6) + toHex((Math.random() * (1 << 16)) | 0, 4)
+import { randomBytes } from 'crypto';
+
+let counter = (randomBytes(3).readUIntBE(0, 3)) | 0;
+const random = toHex(randomBytes(3).readUIntBE(0, 3), 6) + toHex(randomBytes(2).readUIntBE(0, 2), 4);
 
EOF
@@ -63,4 +63,6 @@

let counter = (Math.random() * (1 << 24)) | 0
const random = toHex((Math.random() * (1 << 24)) | 0, 6) + toHex((Math.random() * (1 << 16)) | 0, 4)
import { randomBytes } from 'crypto';

let counter = (randomBytes(3).readUIntBE(0, 3)) | 0;
const random = toHex(randomBytes(3).readUIntBE(0, 3), 6) + toHex(randomBytes(2).readUIntBE(0, 2), 4);

Copilot is powered by AI and may make mistakes. Always verify output.
@haiodo
UBERF-9747
591db55 
Signed-off-by: Andrey Sobolev <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 10, 2025
View reviewed changes
server/server/src/sessionManager.ts

const session = this.createSession(token, workspace.wsId, account)
session.sessionId = sessionId !== undefined && (sessionId ?? '').trim().length > 0 ? sessionId : generateId()

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.
This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix

AI 14 days ago

To fix the issue, replace the insecure Math.random() usage in the generateId() function with a cryptographically secure random number generator. Specifically, use crypto.randomUUID() or crypto.getRandomValues() to generate secure random values. This ensures that the generated sessionId is unpredictable and suitable for security-sensitive contexts.

Steps to implement the fix:

  1. Modify the generateId() function in packages/core/src/utils.ts to use crypto.getRandomValues() for generating random values instead of Math.random().
  2. Ensure that the replacement maintains the same functionality (e.g., hexadecimal formatting and concatenation).
  3. Update the imports if necessary to include the crypto module.
Suggested changeset 1
packages/core/src/utils.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/core/src/utils.ts b/packages/core/src/utils.ts
--- a/packages/core/src/utils.ts
+++ b/packages/core/src/utils.ts
@@ -63,4 +63,4 @@
 
-let counter = (Math.random() * (1 << 24)) | 0
-const random = toHex((Math.random() * (1 << 24)) | 0, 6) + toHex((Math.random() * (1 << 16)) | 0, 4)
+let counter = 0
+const random = toHex(crypto.getRandomValues(new Uint32Array(1))[0], 8) + toHex(crypto.getRandomValues(new Uint16Array(1))[0], 4)
 
EOF
@@ -63,4 +63,4 @@

let counter = (Math.random() * (1 << 24)) | 0
const random = toHex((Math.random() * (1 << 24)) | 0, 6) + toHex((Math.random() * (1 << 16)) | 0, 4)
let counter = 0
const random = toHex(crypto.getRandomValues(new Uint32Array(1))[0], 8) + toHex(crypto.getRandomValues(new Uint16Array(1))[0], 4)

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@haiodo