Don't use Math.random() to generate UUIDs

[luc122c]

[REQUIRED] Describe your environment

• Operating System version: MacOS 12.4
• Browser version: Firefox Developer 103.0b9
• Firebase SDK version: 9.9.0
• Firebase Product: Util (auth, database, storage, etc)

[REQUIRED] Describe the problem

The UUID function that Firebase uses has been 'borrowed' from Stack Overflow and uses Math.random() to generate random numbers. It's well documented that Math.random() is not a good source of randomness anymore; in fact the answer that is linked to has been updated to use Crypto.getRandomValues() instead.

Perhaps this function could be updated/replace to use a more up to date method of calculating UUIDs.

Relevant Code:

Source Code

Further information:

• Random Number Generation in JavaScript
• Don't Trust Computer Generated Random Numbers
• Math.random()
• Crypto.getRandomValues()
• Crypto.randomUUID()

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[hsubox76]

Thanks. It looks like Node support for Crypto.getRandomValues() is fairly recent (Node 15) so if we update to it, we'll probably want to make sure we wrap it in a try/catch and fall back to Math.random() as needed.