Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use uuid for test cookie value #495

Merged
merged 2 commits into from
Jan 28, 2022
Merged

fix: use uuid for test cookie value #495

merged 2 commits into from
Jan 28, 2022

Conversation

kevinpagtakhan
Copy link
Contributor

Summary

Fixes #481

areCookiesEnabled() creates a cookie that gets rejected by firewalls due to some special characters included in TZ names. It should be safe to replace this cookie value with virtually anything (w/o special characters) since this is short lived and only used to determine if cookies are enabled. I decided to change it to a random-ish value, to avoid potential conflict.

Checklist

  • Does your PR title have the correct title format?
  • Does your PR have a breaking change?: No

@secure-code-warrior-for-github
Copy link

Based on output from pull request status check:

Micro-Learning Topic: Insecure randomness (Detected by phrase)

Matched on "Insecure randomness"

What is this? (2min video)

This vulnerability manifests when some security construct depends on a random component and this component is somehow guessable -or just not random-.

Try this challenge in Secure Code Warrior

@lgtm-com
Copy link

lgtm-com bot commented Jan 27, 2022

This pull request introduces 1 alert when merging 42e1f95 into 064944c - view on LGTM.com

new alerts:

  • 1 for Insecure randomness

justin-fiedler
justin-fiedler approved these changes Jan 28, 2022
View reviewed changes
src/base-cookie.js Outdated Show resolved Hide resolved
@kevinpagtakhan kevinpagtakhan merged commit 03e270e into main Jan 28, 2022
@kevinpagtakhan kevinpagtakhan deleted the AMP-47142-temp-cookie-name branch January 28, 2022 19:07
github-actions bot pushed a commit that referenced this pull request Jan 28, 2022
@amplitude-sdk-bot
chore(release): 8.16.1 [skip ci]
ddff63b 
## [8.16.1](v8.16.0...v8.16.1) (2022-01-28)

### Bug Fixes

* use Date.now() for test cookie value ([#495](#495)) ([03e270e](03e270e))
@github-actions
Copy link

🎉 This PR is included in version 8.16.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-fiedler justin-fiedler justin-fiedler approved these changes

@yuhao900914 yuhao900914 Awaiting requested review from yuhao900914

@jooohhn jooohhn Awaiting requested review from jooohhn

@qingzhuozhen qingzhuozhen Awaiting requested review from qingzhuozhen

@haoliu-amp haoliu-amp Awaiting requested review from haoliu-amp

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

amp_cookie_test cookie values can contain disallowed characters
3 participants
@kevinpagtakhan @justin-fiedler @haoliu-amp