refactor(api): use secure RNG, closes #1356 (#1398)

lucasfernog · web-flow · commit c8992bb0bfb8 · 2021-03-30T00:26:40.000-03:00
diff --git a/.changes/secure-rng.md b/.changes/secure-rng.md
@@ -0,0 +1,5 @@
+---
+"api": patch
+---
+
+Use secure RNG on callback function names.
diff --git a/api/src/tauri.ts b/api/src/tauri.ts
@@ -7,27 +7,12 @@ declare global {
   }
 }
 
-function s4(): string {
-  return Math.floor((1 + Math.random()) * 0x10000)
-    .toString(16)
-    .substring(1)
-}
-
 function uid(): string {
-  return (
-    s4() +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    s4() +
-    s4()
-  )
+  const length = new Int8Array(1)
+  window.crypto.getRandomValues(length)
+  const array = new Uint8Array(Math.max(16, Math.abs(length[0])))
+  window.crypto.getRandomValues(array)
+  return array.join('')
 }
 
 function transformCallback(
diff --git a/tauri/scripts/bundle.js b/tauri/scripts/bundle.js
diff --git a/tauri/scripts/core.js b/tauri/scripts/core.js
@@ -7,29 +7,14 @@ if (!String.prototype.startsWith) {
 }
 
 (function () {
-  function s4() {
-    return Math.floor((1 + Math.random()) * 0x10000)
-      .toString(16)
-      .substring(1);
+  function uid() {
+    const length = new Int8Array(1)
+    window.crypto.getRandomValues(length)
+    const array = new Uint8Array(Math.max(16, Math.abs(length[0])))
+    window.crypto.getRandomValues(array)
+    return array.join('')
   }
 
-  var uid = function () {
-    return (
-      s4() +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      s4() +
-      s4()
-    );
-  };
-
   function ownKeys(object, enumerableOnly) {
     var keys = Object.keys(object);
     if (Object.getOwnPropertySymbols) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"api": patch
 +---
++
 +Use secure RNG on callback function names.