Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CRITICAL] Unsafe fallback to Math.random #118

Closed
joepie91 opened this issue Aug 6, 2015 · 2 comments
Closed

[CRITICAL] Unsafe fallback to Math.random #118

joepie91 opened this issue Aug 6, 2015 · 2 comments

Comments

@joepie91
Copy link

joepie91 commented Aug 6, 2015

This is a critical issue, compromising the security of this module.

In this part of the code, this module will fall back to Math.random, regardless of the environment.

This is unsafe, as the crypto module may not always be available in Node.js environments - Node.js may have been compiled without OpenSSL, or a past or future version of Node.js may be used that does not carry the module. In this case, it will silently fall back to poor-quality random data.

The correct behaviour in non-browser environments would be to throw an error, and refuse to continue, if no 'safe' random source can be obtained, and to let the system administrator fix their environment.

Ideally, in browser environments, it would be allowed to fall back to Math.random, but only if an allowUnsafe (or similar) flag were specified on usage. This means the behaviour is safe by default, but can still be run unsafely if old browsers absolutely must be supported, and cryptographically secure UUIDs are not required.

EDIT: Apparently the crypto usage is broken in all cases? Per #108.
@joepie91 joepie91 mentioned this issue Aug 6, 2015
Closed
@joepie91
Copy link
Author

joepie91 commented Aug 9, 2015

This module should be considered completely broken and insecure until this issue is resolved.

My current advice would be to use the defunctzombie fork (on npm as uuid) instead of this module (which is on npm as node-uuid). It does not suffer from this issue.

srhoulam referenced this issue in ga-wdi-boston/node-express-session-lesson Aug 18, 2015
@srhoulam
Replace node-uuid with uuid for security concerns.
ea97bcc 
https://github.com/broofa/node-uuid/issues/118
This was referenced Sep 10, 2015
Closed
Open
@joepie91 joepie91 changed the title Unsafe fallback to Math.random [CRITICAL] Unsafe fallback to Math.random Sep 14, 2015
This was referenced Nov 12, 2015
Closed
Closed
coolaj86 pushed a commit that referenced this issue Nov 12, 2015
v1.4.4: close #122 #118 #108
672f383
@coolaj86
Copy link
Contributor

fixed

srhoulam referenced this issue in ga-wdi-boston/node-express-session-lesson Nov 22, 2015
@srhoulam
Replace node-uuid with uuid for security concerns.
74c77ce 
https://github.com/broofa/node-uuid/issues/118
srhoulam referenced this issue in ga-wdi-boston/node-express-session-lesson Nov 22, 2015
@srhoulam
Replace node-uuid with uuid for security concerns.
76838a5 
https://github.com/broofa/node-uuid/issues/118
srhoulam referenced this issue in ga-wdi-boston/node-express-session-lesson Nov 22, 2015
@srhoulam
Replace node-uuid with uuid for security concerns.
643b0c0 
https://github.com/broofa/node-uuid/issues/118
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@coolaj86 @joepie91