60 lines
1.6 KiB
Plaintext
60 lines
1.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
As the ``++Math.random()++`` function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Use a cryptographically secure pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``.
|
|
* Use the generated random values only once.
|
|
* You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
const val = Math.random(); // Sensitive
|
|
// Check if val is used in a security context.
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,javascript]
|
|
----
|
|
// === Client side ===
|
|
const crypto = window.crypto || window.msCrypto;
|
|
var array = new Uint32Array(1);
|
|
crypto.getRandomValues(array);
|
|
|
|
// === Server side ===
|
|
const crypto = require('crypto');
|
|
const buf = crypto.randomBytes(1);
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 8 Dec 2018, 19:30:39 Lars Svensson wrote:
|
|
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto
|
|
|
|
https://nodejs.org/api/crypto.html
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|