From 066f3b61a2849f602230eabccdb45f0f98199817 Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Thu, 16 May 2024 11:14:50 +0200
Subject: [PATCH 1/2] RandomSource is deprecated, it's crypto now

---
 javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp b/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
index 5835a8060c1..83786a014a0 100644
--- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
+++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
@@ -36,7 +36,7 @@
 		<p>
 
 			For JavaScript in the browser,
-			<code>RandomSource.getRandomValues</code> provides a cryptographically
+			<code>crypto.getRandomValues</code> provides a cryptographically
 			secure pseudo-random number generator.
 
 		</p>
@@ -69,7 +69,7 @@
 
 	<references>
 		<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator">Pseudo-random number generator</a>.</li>
-		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">RandomSource.getRandomValues</a>.</li>
+		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues">Crypto: getRandomValues()</a>.</li>
 		<li>NodeJS: <a href="https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback">crypto.randomBytes</a></li>
 	</references>
 </qhelp>

From 56dff8540f78be6cecea395df4eefd1fee823d05 Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Thu, 16 May 2024 11:15:07 +0200
Subject: [PATCH 2/2] add an example of how to get a floating point value
 between 0 and 1

---
 .../src/Security/CWE-338/examples/InsecureRandomness_fixed.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js b/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
index e3f96cf1680..54a3094932c 100644
--- a/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
+++ b/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
@@ -2,5 +2,7 @@ function securePassword() {
     // GOOD: the random suffix is cryptographically secure
     var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];
     var password = "myPassword" + suffix;
-    return password;
+    
+    // GOOD: if a random value between 0 and 1 is desired
+    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);
 }