Skip to content

Potential fix for code scanning alert no. 26: Insecure randomness#652

Merged
cute-omega merged 1 commit into
masterfrom
alert-autofix-26
Jun 29, 2026
Merged

Potential fix for code scanning alert no. 26: Insecure randomness#652
cute-omega merged 1 commit into
masterfrom
alert-autofix-26

Conversation

@cute-omega

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/docmirror/dev-sidecar/security/code-scanning/26

Use a cryptographically secure source for the random suffix used in uid generation. In browser Vue code, the correct primitive is crypto.getRandomValues. This keeps behavior the same (a short unique-ish ID string) while removing Math.random().

Best fix in this file:

  • Edit packages/gui/src/view/components/JsonEditor.vue at the uid definition region.
  • Replace Math.random().toString(36).slice(2, 9) with a CSPRNG-derived value, e.g. one 32-bit random integer converted to base36.
  • No new npm dependency is needed; use built-in Web Crypto API.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@cute-omega cute-omega marked this pull request as ready for review June 29, 2026 06:54
@cute-omega cute-omega merged commit d7e3957 into master Jun 29, 2026
5 of 6 checks passed
@cute-omega cute-omega deleted the alert-autofix-26 branch June 29, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant