Simplifies the format for client IDs. #2072
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The existing code created a 128-bit UUIDv4 from a `Random` object with ~32 bits of entropy. The server and protocol doesn't actually care about the format. This implementation creates a simple 6-character string encoding a 32-bit random number, which doesn't look like it has more entropy than it does.
PR HealthBreaking changes ✔️
Changelog Entry ✔️
Changes to files need to be accounted for in their respective changelogs.
Coverage
|
| File | Coverage |
|---|---|
| pkgs/sse/lib/client/sse_client.dart | 💔 Not covered |
| pkgs/sse/lib/src/util/id.dart | 💔 Not covered |
This check for test coverage is informational (issues shown here will not fail the PR).
This check can be disabled by tagging the PR with skip-coverage-check.
API leaks ✔️
The following packages contain symbols visible in the public API, but not exported by the library. Export these symbols or remove them from your publicly visible API.
| Package | Leaked API symbols |
|---|
License Headers ✔️
// Copyright (c) 2025, the Dart project authors. Please see the AUTHORS file
// for details. All rights reserved. Use of this source code is governed by a
// BSD-style license that can be found in the LICENSE file.
| Files |
|---|
| no missing headers |
All source files should start with a license header.
Unrelated files missing license headers
| Files |
|---|
| pkgs/bazel_worker/benchmark/benchmark.dart |
| pkgs/bazel_worker/example/client.dart |
| pkgs/bazel_worker/example/worker.dart |
| pkgs/benchmark_harness/integration_test/perf_benchmark_test.dart |
| pkgs/boolean_selector/example/example.dart |
| pkgs/clock/lib/clock.dart |
| pkgs/clock/lib/src/clock.dart |
| pkgs/clock/lib/src/default.dart |
| pkgs/clock/lib/src/stopwatch.dart |
| pkgs/clock/lib/src/utils.dart |
| pkgs/clock/test/clock_test.dart |
| pkgs/clock/test/default_test.dart |
| pkgs/clock/test/stopwatch_test.dart |
| pkgs/clock/test/utils.dart |
| pkgs/coverage/lib/src/coverage_options.dart |
| pkgs/coverage/test/collect_coverage_config_test.dart |
| pkgs/coverage/test/config_file_locator_test.dart |
| pkgs/html/example/main.dart |
| pkgs/html/lib/dom.dart |
| pkgs/html/lib/dom_parsing.dart |
| pkgs/html/lib/html_escape.dart |
| pkgs/html/lib/parser.dart |
| pkgs/html/lib/src/constants.dart |
| pkgs/html/lib/src/encoding_parser.dart |
| pkgs/html/lib/src/html_input_stream.dart |
| pkgs/html/lib/src/list_proxy.dart |
| pkgs/html/lib/src/query_selector.dart |
| pkgs/html/lib/src/token.dart |
| pkgs/html/lib/src/tokenizer.dart |
| pkgs/html/lib/src/treebuilder.dart |
| pkgs/html/lib/src/utils.dart |
| pkgs/html/test/dom_test.dart |
| pkgs/html/test/parser_feature_test.dart |
| pkgs/html/test/parser_test.dart |
| pkgs/html/test/query_selector_test.dart |
| pkgs/html/test/selectors/level1_baseline_test.dart |
| pkgs/html/test/selectors/level1_lib.dart |
| pkgs/html/test/selectors/selectors.dart |
| pkgs/html/test/support.dart |
| pkgs/html/test/tokenizer_test.dart |
| pkgs/pubspec_parse/test/git_uri_test.dart |
| pkgs/stack_trace/example/example.dart |
| pkgs/watcher/test/custom_watcher_factory_test.dart |
| pkgs/yaml_edit/example/example.dart |
Package publishing
Documentation at https://github.com/dart-lang/ecosystem/wiki/Publishing-automation. |
bkonyi
approved these changes
Apr 10, 2025
| /// Generates a pseudo-random ID string with 32 bits of entropy. | ||
| String generateId() { | ||
| final chars = List<int>.filled(6, 0); | ||
| final random = Random(); |
There was a problem hiding this comment.
Would there be any benefit if we used Random.secure() instead? I'm guessing no, since this isn't actually being used as a secret.
There was a problem hiding this comment.
Depends on why an ID is being generated to begin with.
If the goal is just to avoid ID collisions, then it depends on how many simultaneous clients a server will have. Too many, and a 32-bit PRNG generated ID might be insufficient to (statistically) avoid two with the same ID.
Then more randomness is enough, it doesn't have to be secure.
If the goal is to prevent someone deliberately forging the same ID as another client, then being secure might be more important than being more random. Brute force might still not be viable.
Update copyright year.
copybara-service bot
pushed a commit
to dart-lang/sdk
that referenced
this pull request
Apr 16, 2025
Revisions updated by `dart tools/rev_sdk_deps.dart`. ecosystem (https://github.com/dart-lang/ecosystem/compare/7f6f1c1..815d4ba): 815d4ba 2025-04-15 Devon Carew [firehose] don't fail publish validation if we see the pub pre-release warning (dart-lang/ecosystem#357) e7bae16 2025-04-15 Moritz Fix label fetching (dart-lang/ecosystem#358) 7aa1313 2025-04-15 Moritz Fix PR label fetching (dart-lang/ecosystem#356) test (https://github.com/dart-lang/test/compare/8643fbf..84eba11): 84eba115 2025-04-11 Daco Harkes [native assets] Add support for pub workspaces (dart-lang/test#2484) ab850972 2025-04-11 Daco Harkes [native assets] Add support for pub workspaces 9f9fd77d 2025-04-10 Nate Bosch Migrate host.dart to new JS interop (dart-lang/test#2448) tools (https://github.com/dart-lang/tools/compare/d74f9e1..4a28415): 4a284152 2025-04-15 Moritz [package:code_builder] Remove transitive dependency on package:macros (dart-lang/tools#2073) 2bb6eba7 2025-04-11 Lasse R.H. Nielsen Simplifies the format for client IDs. (dart-lang/tools#2072) 77e41774 2025-04-10 Liam Appelbe [coverage] Prepare to publish (dart-lang/tools#2070) e7168ae1 2025-04-10 Liam Appelbe [coverage] Finish collection as soon as main isolate exits (dart-lang/tools#2069) vector_math (https://github.com/google/vector_math.dart/compare/f08d7d2..dc9d379): dc9d379 2025-04-15 Lukas Klingsbo chore: Remove test_all.dart since this is built-in to `dart test` (google/vector_math.dart#343) webdev (https://github.com/dart-lang/webdev/compare/c8b1cfa..5bf833d): 5bf833d0 2025-04-15 Srujan Gaddam Support hot reload testing (dart-lang/webdev#2611) fa0b74bf 2025-04-14 Srujan Gaddam Add support for hot restart tests in DWDS with the frontend server (dart-lang/webdev#2608) Change-Id: Ic3ff6ed88ee2db935dc48fafe1e16a869d73506c Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/422580 Reviewed-by: Ivan Inozemtsev <iinozemtsev@google.com> Commit-Queue: Ivan Inozemtsev <iinozemtsev@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing code created a 128-bit UUIDv4 from a
Randomobject with ~32 bits of entropy.The server and protocol don't care about the format, almost any string is valid and accepted.
This implementation creates a simple 6-character string encoding a 32-bit random number,
which doesn't look like it has more entropy than it does.
(If more entropy is desired, the code should start using a real UUID generator or a better
random source.)
Fixes #2071.