Skip to content

Commit a2994c0

Browse files
erik-krogherik-krogh
authored
Merge pull request #16507 from erik-krogh/up-insecure-randomness
JS: Update the insecure-randomness QHelp
2 parents 98d2c84 + 56dff85 commit a2994c0

File tree

2 files changed

+5
-3
lines changed

2 files changed

+5
-3
lines changed

javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
<p>
3737

3838
For JavaScript in the browser,
39-
<code>RandomSource.getRandomValues</code> provides a cryptographically
39+
<code>crypto.getRandomValues</code> provides a cryptographically
4040
secure pseudo-random number generator.
4141

4242
</p>
@@ -69,7 +69,7 @@
6969

7070
<references>
7171
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator">Pseudo-random number generator</a>.</li>
72-
<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">RandomSource.getRandomValues</a>.</li>
72+
<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues">Crypto: getRandomValues()</a>.</li>
7373
<li>NodeJS: <a href="https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback">crypto.randomBytes</a></li>
7474
</references>
7575
</qhelp>

javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,7 @@ function securePassword() {
22
// GOOD: the random suffix is cryptographically secure
33
var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];
44
var password = "myPassword" + suffix;
5-
return password;
5+
6+
// GOOD: if a random value between 0 and 1 is desired
7+
var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);
68
}

0 commit comments

Comments
 (0)