New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(nms): Fix insecure randomness #12417
Conversation
Thanks for opening a PR! 💯
Howto
More infoPlease take a moment to read through the Magma project's
If this is your first Magma PR, also consider reading
|
|
If I use crypto.getRandomValues() without "winodw", in CI tests I get error: Cannot resolve name |
You need to import it:
also note that it has a different API then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry that this takes so long.
crypto.getRandomValues
is only available since node v17.4.0 and we are using v16.14. Also only using 4 bytes isn't great.
I suggest we use something like
crypto.randomBytes(16).toString('hex')
@thmsschmitt thanks for helping |
@spikey979 I'm waiting for the |
Signed-off-by: Kristijan <spikey979@gmail.com>
Signed-off-by: Kristijan <spikey979@gmail.com>
Signed-off-by: Kristijan spikey979@gmail.com
fix(nms): Fix insecure randomness
Summary
Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value. A cryptographically secure pseudo-random number generator should be used instead.
Additional Information
This is for code scanning alerts:
https://github.com/magma/magma/security/code-scanning/62
https://github.com/magma/magma/security/code-scanning/63
https://github.com/magma/magma/security/code-scanning/64
https://github.com/magma/magma/security/code-scanning/65