Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure Randomness - Issue #848

Closed
karthikdav opened this issue May 27, 2019 · 5 comments
Closed

Insecure Randomness - Issue #848

karthikdav opened this issue May 27, 2019 · 5 comments
Assignees
@mearns
Labels
Area: Development Status: Approved Is ready to be worked on Type: Enhancement New feature or request

Comments

@karthikdav
Copy link

When scanned with Fortify scanner, it reported Insercure Randomness for function Math.random() since it was generating cryptographically weak random numbers.
@NicolaiSoeborg
Copy link

It's used in src/diagrams/git/gitGraphAst.js to generate a random id.
That function does not have to be securely random, so this isn't a problem.

If anything, then I think the random seed should be fixed to some constant to avoid hard-to-debug problems.

@knsv
Copy link
Collaborator

knsv commented Jun 4, 2019

Thanks, that should be easy enoght to fix. Waiting for some comments on this proposal before ding anything though.

@github-actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you are still interested in it, and it is still relevant, you can comment or remove the label to revive it.

@github-actions github-actions bot added the Type: New Shape Request for new shape label Sep 24, 2019
@IOrlandoni IOrlandoni added Area: Development Good first issue! Contributor needed Status: Approved Is ready to be worked on Type: Enhancement New feature or request and removed Type: New Shape Request for new shape labels Sep 26, 2019
@IOrlandoni
Copy link
Member

If it's cheap to fix, we might as well do it so it does not show up on scans.

@mearns
Copy link
Contributor

mearns commented Oct 2, 2019

I'll take a look and send in a PR. Sounds as simple as replacing the call to Math.random() with a cryptographically secure PRNG, am I missing anything else?

mearns added a commit to mearns/mermaid that referenced this issue Oct 2, 2019
@mearns
mermaid-js#848 - Add Unit Test
351dd37
IOrlandoni added a commit that referenced this issue Oct 2, 2019
@IOrlandoni
Merge pull request #968
18f35ac 
Fixes #848
@github-actions github-actions bot locked and limited conversation to collaborators Oct 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mearns mearns

Labels
Area: Development Status: Approved Is ready to be worked on Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@IOrlandoni @mearns @knsv @NicolaiSoeborg @karthikdav