rspec/rules/S2245/javascript/rule.adoc

include::../description.adoc[]

As the ``++Math.random()++`` function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use a cryptographically secure pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``.
* Use the generated random values only once.
* You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.

== Sensitive Code Example

----
const val = Math.random(); // Sensitive
// Check if val is used in a security context.
----

== Compliant Solution

[source,javascript]
----
// === Client side ===
const crypto = window.crypto || window.msCrypto;
var array = new Uint32Array(1);
crypto.getRandomValues(array);

// === Server side ===
const crypto = require('crypto');
const buf = crypto.randomBytes(1);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 8 Dec 2018, 19:30:39 Lars Svensson wrote:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto

https://nodejs.org/api/crypto.html


include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Modify rule S2245: Clarify the naming of random number generators (#4446) * Clarify the naming of random number generators 2024-10-29 10:36:18 +01:00			`include::../description.adoc[]`
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			As the ``++Math.random()++`` function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`include::../ask-yourself.adoc[]`

			`== Recommended Secure Coding Practices`

Modify rule S2245: Clarify the naming of random number generators (#4446) * Clarify the naming of random number generators 2024-10-29 10:36:18 +01:00			* Use a cryptographically secure pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``.
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`* Use the generated random values only once.`
			`* You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.`

			`== Sensitive Code Example`

			`----`
			`const val = Math.random(); // Sensitive`
			`// Check if val is used in a security context.`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`// === Client side ===`
			`const crypto = window.crypto \|\| window.msCrypto;`
			`var array = new Uint32Array(1);`
Modify rule S2245: Clarify the naming of random number generators (#4446) * Clarify the naming of random number generators 2024-10-29 10:36:18 +01:00			`crypto.getRandomValues(array);`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`// === Server side ===`
			`const crypto = require('crypto');`
Modify rule S2245: Clarify the naming of random number generators (#4446) * Clarify the naming of random number generators 2024-10-29 10:36:18 +01:00			`const buf = crypto.randomBytes(1);`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 8 Dec 2018, 19:30:39 Lars Svensson wrote:`
			`https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random`

			`https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto`

			`https://nodejs.org/api/crypto.html`



			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`