Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value #681

Open
ghoelzer-aws opened this issue Apr 18, 2024 · 1 comment
Open

Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value #681

ghoelzer-aws opened this issue Apr 18, 2024 · 1 comment

Comments

@ghoelzer-aws
Copy link

aws-lex-web-ui/lex-web-ui/src/lib/lex/client.js

Lines 60 to 62 in 94bd01d

this.userId = userId ||
'lex-web-ui-' +
`${Math.floor((1 + Math.random()) * 0x10000).toString(16).substring(1)}`;

An AWS Customer using this solution reached out to me and identified these lines of code that are failing their internal code/security scan, using GitHub CodeQL. They are asking that the following recommendation be reviewed and suggested (or similar) remediation applied: Use a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. For JavaScript on the NodeS platform, crypto.getRandombytes provides a cryptographically secure pseudo-random byte generator. For JavaScript in the browser, RandomSource.getRandomvalues provides a cryptographically secure pseudo-random number generator.
@atjohns
Copy link
Contributor

atjohns commented Apr 25, 2024

Thanks, we will include this upgrade in our 0.20.3 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ghoelzer-aws @atjohns