Skip to content

fix: replace weak RandomState PRNG with OS-backed getrandom crate#1

Merged
niklabh merged 1 commit intomainfrom
fix/csprng-getrandom
Mar 16, 2026
Merged

fix: replace weak RandomState PRNG with OS-backed getrandom crate#1
niklabh merged 1 commit intomainfrom
fix/csprng-getrandom

Conversation

@niklabh
Copy link
Copy Markdown
Owner

@niklabh niklabh commented Mar 16, 2026
edited by coderabbitai bot
Loading

The previous getrandom implementation used std's RandomState/SipHash which is not cryptographically secure. Guests relying on api_random for key generation or nonces were vulnerable. Switch to the getrandom crate which uses the OS CSPRNG (/dev/urandom, BCryptGenRandom, etc.).

Summary by CodeRabbit

  • Refactor

    • Replaced manual random number generation with system-level random generation for improved reliability.

  • Chores

    • Added dependency to support random number generation functionality.

@niklabh @claude
fix: replace weak RandomState PRNG with OS-backed getrandom crate
a5a231c 
The previous getrandom implementation used std's RandomState/SipHash
which is not cryptographically secure. Guests relying on api_random for
key generation or nonces were vulnerable. Switch to the getrandom crate
which uses the OS CSPRNG (/dev/urandom, BCryptGenRandom, etc.).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 16, 2026
edited
Loading

📝 Walkthrough

Walkthrough

A dependency on the getrandom crate version 0.2 was added to the project, and the manual pseudo-random number generation implementation in capabilities.rs was replaced with a direct call to the OS RNG through getrandom::getrandom, which panics on failure.

Changes

Cohort / File(s) Summary
Dependency Addition
oxide-browser/Cargo.toml		 Added getrandom = "0.2" dependency.
RNG Implementation Refactor
oxide-browser/src/capabilities.rs		 Replaced manual pseudo-random loop generating bytes through RandomState and hasher with direct getrandom::getrandom OS RNG call; error handling changed from per-block to panic on failure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A random seed we sought to find,
From OS calls, so true and kind,
Getrandom comes with steadfast grace,
No manual loops to slow the pace! 🎲

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: replacing a weak PRNG implementation with a secure OS-backed random number generator via the getrandom crate.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/csprng-getrandom
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

coderabbitai[bot]
coderabbitai bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@oxide-browser/src/capabilities.rs`:
- Line 1328: Replace the panic-based RNG call with Result handling: change the
direct ::getrandom::getrandom(buf).expect(...) invocation inside api_random to a
fallible wrapper (e.g., a new getrandom function returning Result<(), String> or
map_err inline) and update api_random to handle the Err case instead of
panicking—log the error and return the appropriate failure sentinel (or
propagate a trap via the caller) rather than calling expect. Locate the
getrandom invocation and the api_random host callback to implement the map_err()
conversion and the subsequent error branch that avoids terminating the process.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f199cf38-21fe-4c8e-9799-5bc7e35e1c1f

📥 Commits

Reviewing files that changed from the base of the PR and between 62a9f61 and a5a231c.

📒 Files selected for processing (2)
  • oxide-browser/Cargo.toml
  • oxide-browser/src/capabilities.rs

@niklabh niklabh merged commit a2f9d4c into main Mar 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@niklabh