Fix critical vulnerabilities in eeg_rpsd: RNG seed and input validation #34
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1)replaced fixed RNG seeds (rng('default') and rand('state', 0)) with time-based seeds to ensure true randomness and improve security.
2)added input validation for EEG struct, nfreqs, and pct_data to prevent runtime errors and invalid inputs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
issue background
2 critical vulnerabilities were identified in the
eeg_rpsdfunction:rng('default')andrand('state', 0)results in predictable random sequences, which can compromise the statistical randomness of data analysis and pose security risks.EEGstruct,nfreqs, andpct_data, potentially leading to runtime errors (e.g., array out-of-bounds or crashes).these issues could affect the reliability of EEG data analysis and the stability of the program, particularly when handling sensitive data (e.g., medical data).
changes made
RNG seed fix:
1.1 replaced
rng('default')andrand('state', 0)with time-based seeds (rng('shuffle')for MATLAB andrand('seed', sum(100*clock))for Octave) to ensure true randomness.1.2 removed redundant
rng('shuffle')call to streamline MATLAB/Octave compatibility.input validation:
2.1 added validation for the
EEGstruct to ensure required fields (icaweights,icaact,srate,pnts,trials) are present.2.2 enhanced validation for
nfreqsandpct_datato enforce positive integers and valid ranges (0 < pct_data <= 100).impact
1.1 improved randomness and security, making the function suitable for sensitive data processing.
1.2 enhanced robustness by reducing the risk of crashes due to invalid inputs.
1.3 maintained compatibility with MATLAB and Octave.