RELEASE - 25.2 push to production #1090
Conversation
feat(tailwind): add tailwind sample
update packages for 25.2 vr
…le-transfer feat(grid-lite): adding grid lite samples
…fix-urls fix(grid-lite): renaming samples so they match urls from docfx
* mdd-update-bing-sample mdd-update-bing-sample * mdd-update-display-all mdd-update-display-all * mdd-review-update mdd-review-update * Update index.html * Update index.ts * mdd-update mdd-update
mdd-update
fix(grid-lite): various fixes and improvements
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const lastName = this.randomElement(this.lastNames); | ||
| return { | ||
| id: this.generateId(), | ||
| username: `${firstName.toLowerCase()}.${lastName.toLowerCase()}${this.randomInt(1, 99)}`, |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To address the issue, we need to ensure all randomness used in security-sensitive values uses a cryptographically secure generator. In this codebase, the randomInt method should use secure randomness instead of Math.random(). For browser environments, we can use window.crypto.getRandomValues to securely generate random integers. Specifically, we'll reimplement randomInt using crypto.getRandomValues, following best practices to avoid modulo bias and covering the desired range. We only need to edit within the code shown in samples/grids/grid-lite/column-config-basic/src/GridLiteDataService.ts. No changes to external logic or method calls are necessary elsewhere in the file.
| @@ -39,7 +39,18 @@ | ||
| private priorities: ('Low' | 'Standard' | 'High')[] = ['Low', 'Standard', 'High']; | ||
|
|
||
| private randomInt(min: number, max: number): number { | ||
| return Math.floor(Math.random() * (max - min + 1)) + min; | ||
| // Use crypto.getRandomValues for secure random integer generation | ||
| const range = max - min + 1; | ||
| if (range <= 0) throw new Error("Invalid range for randomInt. Max must be >= min."); | ||
| const maxUint32 = 0xFFFFFFFF; | ||
| const limit = maxUint32 - (maxUint32 % range); | ||
| let rand: number; | ||
| do { | ||
| const array = new Uint32Array(1); | ||
| window.crypto.getRandomValues(array); | ||
| rand = array[0]; | ||
| } while (rand > limit); | ||
| return min + (rand % range); | ||
| } | ||
|
|
||
| private randomFloat(min: number, max: number, precision = 2): number { |
| const lastName = this.randomElement(this.lastNames); | ||
| return { | ||
| id: this.generateId(), | ||
| username: `${firstName.toLowerCase()}.${lastName.toLowerCase()}${this.randomInt(1, 99)}`, |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
The best fix is to replace the use of Math.random() inside the randomInt method with a cryptographically secure random number generator. In a browser environment, window.crypto.getRandomValues is suitable. This is already used for randomFloat and randomBoolean. For randomInt, we should use getRandomValues to obtain a random value and map it to the required range [min, max], ensuring uniform randomness and avoiding modulo bias. The required code change will be within the randomInt method, replacing its implementation, and no new imports are necessary since window.crypto is a browser global.
| @@ -39,7 +39,20 @@ | ||
| private priorities: ('Low' | 'Standard' | 'High')[] = ['Low', 'Standard', 'High']; | ||
|
|
||
| private randomInt(min: number, max: number): number { | ||
| return Math.floor(Math.random() * (max - min + 1)) + min; | ||
| // Use cryptographically secure random number generator | ||
| const range = max - min + 1; | ||
| if (range <= 0) { | ||
| throw new Error('Invalid range for randomInt'); | ||
| } | ||
| const maxUint32 = 0xFFFFFFFF; | ||
| const array = new Uint32Array(1); | ||
| window.crypto.getRandomValues(array); | ||
| // Reject values outside [0, maxUint32 - (maxUint32 % range)] to remove modulo bias | ||
| const threshold = maxUint32 - (maxUint32 % range); | ||
| while (array[0] > threshold) { | ||
| window.crypto.getRandomValues(array); | ||
| } | ||
| return min + (array[0] % range); | ||
| } | ||
|
|
||
| private randomFloat(min: number, max: number, precision = 2): number { |
| const lastName = this.randomElement(this.lastNames); | ||
| return { | ||
| id: this.generateId(), | ||
| username: `${firstName.toLowerCase()}.${lastName.toLowerCase()}${this.randomInt(1, 99)}`, |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
The best way to fix this problem is to ensure that all random number generation, especially if used for IDs, usernames, or data that could have security impact, uses a cryptographically secure pseudo-random number generator. In this codebase, the rest of random functions prefer window.crypto.getRandomValues (for browser context). Therefore, update randomInt to use window.crypto.getRandomValues instead of Math.random(). This maintains consistent use of secure randomness across all methods using random values. This change should occur only within the code of the provided snippet (the GridLiteDataService.ts file), specifically by replacing the implementation of randomInt. No other methods or excessive refactors are needed.
If the code is running in Node.js, window.crypto is not available, but in the provided code, browser-style APIs are used. If this code is only running in a browser, use window.crypto.getRandomValues. If you must support Node.js, you would have to polyfill this (e.g., with require('crypto').randomBytes), but since you are asked to only use well-known libraries and only edit shown code, stick with the browser API.
| @@ -39,7 +39,19 @@ | ||
| private priorities: ('Low' | 'Standard' | 'High')[] = ['Low', 'Standard', 'High']; | ||
|
|
||
| private randomInt(min: number, max: number): number { | ||
| return Math.floor(Math.random() * (max - min + 1)) + min; | ||
| // Use window.crypto.getRandomValues for cryptographically secure random numbers | ||
| const range = max - min + 1; | ||
| if (range <= 0) throw new Error('max must be >= min'); | ||
| // Calculate number of bits needed for the range | ||
| const maxUint32 = 0xFFFFFFFF; | ||
| const maxGenerated = Math.floor(maxUint32 / range) * range; | ||
| let rand; | ||
| do { | ||
| const array = new Uint32Array(1); | ||
| window.crypto.getRandomValues(array); | ||
| rand = array[0]; | ||
| } while (rand >= maxGenerated); | ||
| return min + (rand % range); | ||
| } | ||
|
|
||
| private randomFloat(min: number, max: number, precision = 2): number { |
| const lastName = this.randomElement(this.lastNames); | ||
| return { | ||
| id: this.generateId(), | ||
| username: `${firstName.toLowerCase()}.${lastName.toLowerCase()}${this.randomInt(1, 99)}`, |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix the insecure randomness, we should modify the randomInt() method so that it uses a cryptographically secure PRNG. This can be done by using window.crypto.getRandomValues() in the browser context (since the code currently uses the browser's window.crypto already). We should generate a random unsigned integer, normalize it into a [0, 1) float, and scale it to the range [min, max], taking care to avoid modulo bias.
Specifically: replace the implementation of randomInt() (lines 41-43) to use a cryptographically secure approach similar to that in randomFloat() and randomBoolean(). No new imports are needed, as window.crypto is already assumed present.
Only the method definition of randomInt (lines 41-43) needs editing.
| @@ -39,7 +39,21 @@ | ||
| private priorities: ('Low' | 'Standard' | 'High')[] = ['Low', 'Standard', 'High']; | ||
|
|
||
| private randomInt(min: number, max: number): number { | ||
| return Math.floor(Math.random() * (max - min + 1)) + min; | ||
| // Use window.crypto.getRandomValues to generate a secure random integer in [min, max]. | ||
| const range = max - min + 1; | ||
| if (range <= 0) { | ||
| throw new Error('Invalid range for randomInt'); | ||
| } | ||
| // Calculate the max value we can safely use to avoid modulo bias | ||
| const maxUint32 = 0xFFFFFFFF; | ||
| const threshold = maxUint32 - (maxUint32 % range); | ||
| let rand: number; | ||
| const arr = new Uint32Array(1); | ||
| do { | ||
| window.crypto.getRandomValues(arr); | ||
| rand = arr[0]; | ||
| } while (rand >= threshold); | ||
| return min + (rand % range); | ||
| } | ||
|
|
||
| private randomFloat(min: number, max: number, precision = 2): number { |
| const lastName = this.randomElement(this.lastNames); | ||
| return { | ||
| id: this.generateId(), | ||
| username: `${firstName.toLowerCase()}.${lastName.toLowerCase()}${this.randomInt(1, 99)}`, |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix the problem, replace the use of Math.random() with a cryptographically secure random number generator for the username suffix. In browser environments, use window.crypto.getRandomValues(); in Node.js, use crypto.randomBytes(). Since the code is already using window.crypto.getRandomValues() in other methods in this class, we can refactor the randomInt method to use it as well.
Edit samples/grids/grid-lite/filtering-config/src/GridLiteDataService.ts, replacing the implementation of the randomInt method (lines 41-43) with one that uses window.crypto.getRandomValues() to generate a cryptographically secure random integer in the desired range.
No additional imports are needed, as window.crypto is used and already referenced. The new implementation must ensure an unbiased selection between min and max, inclusive, and avoid modulo bias. For simplicity and security, use rejection sampling to avoid modulo bias if the range is not a power of two.
| @@ -39,7 +39,19 @@ | ||
| private priorities: ('Low' | 'Standard' | 'High')[] = ['Low', 'Standard', 'High']; | ||
|
|
||
| private randomInt(min: number, max: number): number { | ||
| return Math.floor(Math.random() * (max - min + 1)) + min; | ||
| // Generate a cryptographically secure random integer between min and max (inclusive) | ||
| const range = max - min + 1; | ||
| if (range <= 0) { | ||
| throw new Error("Invalid range for randomInt"); | ||
| } | ||
| const maxUint32 = 0xFFFFFFFF; | ||
| const array = new Uint32Array(1); | ||
| let randomNumber; | ||
| do { | ||
| window.crypto.getRandomValues(array); | ||
| randomNumber = array[0]; | ||
| } while (randomNumber > maxUint32 - ((maxUint32 + 1) % range)); | ||
| return min + (randomNumber % range); | ||
| } | ||
|
|
||
| private randomFloat(min: number, max: number, precision = 2): number { |
No description provided.