Merge pull request #16507 from erik-krogh/up-insecure-randomness

JS: Update the insecure-randomness QHelp
2026-02-20 08:53:49 +01:00 · 2024-05-16 12:52:09 +02:00
parent 98d2c848bb 56dff8540f
commit a2994c073a
2 changed files with 5 additions and 3 deletions
--- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
+++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
@@ -36,7 +36,7 @@
 		<p>

 			For JavaScript in the browser,
-			<code>RandomSource.getRandomValues</code> provides a cryptographically
+			<code>crypto.getRandomValues</code> provides a cryptographically
 			secure pseudo-random number generator.

 		</p>
@@ -69,7 +69,7 @@

 	<references>
 		<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator">Pseudo-random number generator</a>.</li>
-		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">RandomSource.getRandomValues</a>.</li>
+		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues">Crypto: getRandomValues()</a>.</li>
 		<li>NodeJS: <a href="https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback">crypto.randomBytes</a></li>
 	</references>
 </qhelp>
--- a/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
+++ b/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
@@ -2,5 +2,7 @@ function securePassword() {
    // GOOD: the random suffix is cryptographically secure
    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];
    var password = "myPassword" + suffix;
-    return password;
+    
+    // GOOD: if a random value between 0 and 1 is desired
+    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);
 }