Skip to content

Potential fix for code scanning alert no. 84: Insecure randomness#73

Closed
Dargon789 wants to merge 0 commit intomasterfrom
alert-autofix-84
Closed

Potential fix for code scanning alert no. 84: Insecure randomness#73
Dargon789 wants to merge 0 commit intomasterfrom
alert-autofix-84

Conversation

@Dargon789
Copy link
Owner

@Dargon789 Dargon789 commented Oct 16, 2025
edited by sourcery-ai bot
Loading

Summary by Sourcery

Bug Fixes:

  • Replace insecure Math.random use in generateId with crypto.getRandomValues to generate cryptographically secure randomness.

@codesandbox
Copy link

codesandbox bot commented Oct 16, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Oct 16, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@sourcery-ai
Copy link

sourcery-ai bot commented Oct 16, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Replace insecure Math.random with crypto.getRandomValues for ID generation in DappTransport to address security alert.

Class diagram for updated DappTransport ID generation

classDiagram
class DappTransport {
  +generateId(): string
}
DappTransport : -generateId() now uses crypto.getRandomValues instead of Math.random
Loading

File-Level Changes

Change Details Files
Secure randomness for ID generation
  • Replaced Math.random usage with window.crypto.getRandomValues on a Uint32Array
  • Converted the random value to a base-36 string instead of taking a substring from Math.random()
  • Concatenated date-based prefix with the secure random string for the final ID
 packages/wallet/dapp-client/src/DappTransport.ts
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@snyk-io
Copy link

snyk-io bot commented Oct 16, 2025

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Oct 16, 2025

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security concern by upgrading the random number generation mechanism used for creating unique identifiers. It transitions from a potentially insecure pseudo-random number generator to a cryptographically secure one, thereby enhancing the overall security posture of the application and mitigating risks associated with predictable IDs.

Highlights

  • Security Fix: Replaced Math.random() with window.crypto.getRandomValues() in the generateId() method within DappTransport.ts to ensure cryptographically secure random ID generation, addressing code scanning alert fix: update #84.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@Dargon789 Dargon789 closed this Oct 16, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 16, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses an 'Insecure randomness' code scanning alert by replacing Math.random() with the cryptographically secure window.crypto.getRandomValues(). While this is a good security improvement, the current implementation changes the format of the generated ID by making the random part have a variable length. I've provided a suggestion to fix this potential issue by preserving the fixed-length format of the random string, thus avoiding potential regressions.

@Dargon789 Dargon789 deleted the alert-autofix-84 branch October 16, 2025 21:49
Dargon789 added a commit that referenced this pull request Oct 16, 2025
@Dargon789 @dependabot @gemini-code-assist
fix: Potential fix for code scanning alert no. 84: Insecure randomness
ca13357 
…#73 (#75)

* Bump the npm_and_yarn group across 3 directories with 1 update

Bumps the npm_and_yarn group with 1 update in the / directory: [happy-dom](https://github.com/capricorn86/happy-dom).
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/dapp-client directory: [happy-dom](https://github.com/capricorn86/happy-dom).
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/wdk directory: [happy-dom](https://github.com/capricorn86/happy-dom).


Updates `happy-dom` from 17.6.3 to 20.0.0
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v17.6.3...v20.0.0)

Updates `happy-dom` from 17.6.3 to 20.0.0
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v17.6.3...v20.0.0)

Updates `happy-dom` from 17.6.3 to 20.0.0
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v17.6.3...v20.0.0)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.0.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: happy-dom
  dependency-version: 20.0.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: happy-dom
  dependency-version: 20.0.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump happy-dom in the npm_and_yarn group across 1 directory (#69)

Bumps the npm_and_yarn group with 1 update in the / directory: [happy-dom](https://github.com/capricorn86/happy-dom).


Updates `happy-dom` from 20.0.0 to 20.0.2
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v20.0.0...v20.0.2)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.0.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Create SECURITY.md for security policy (#70)

* Create SECURITY.md for security policy

Add a security policy document outlining supported versions and vulnerability reporting.

Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>

* Update SECURITY.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>

* Update SECURITY.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>

---------

Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update SECURITY.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
@Dargon789 Dargon789 mentioned this pull request Oct 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dargon789