Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
sdk/webpubsub-chat-sdk/client/examples/teams-lite/python_server/core/chat_api.py
Fixed
Show fixed
Hide fixed
| "license": "ISC", | ||
| "dependencies": { | ||
| "@azure/logger": "^1.3.0", | ||
| "@azure/web-pubsub-client": "file:G:\\\\azure-sdk-for-js\\\\sdk\\\\web-pubsub\\\\web-pubsub-client", |
There was a problem hiding this comment.
use local package temporarily. Invoke feature haven't been released to public yet.
xingsy97
force-pushed
the
s/chat-sdk
branch
2 times, most recently
from
ae8bddc to
509411c
Compare
|
|
||
| export async function createTestClient(userId?: string): Promise<ChatClient> { | ||
| if (!userId) { | ||
| userId = `uid-${randomInt()}`; |
Check failure
Code scanning / CodeQL
Insecure randomness High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, to fix this kind of issue you should replace uses of Math.random() in security-relevant contexts with a cryptographically secure random generator, such as Node’s crypto.randomInt or crypto.randomBytes, or the browser’s crypto.getRandomValues. This avoids predictable sequences that can be guessed or brute‑forced.
For this specific file (sdk/webpubsub-chat-sdk/tests/testUtils.ts), the simplest fix that preserves existing behavior is to change randomInt to use Node’s crypto.randomInt, which directly returns an integer in a specified range with uniform distribution, instead of Math.random(). We can import randomInt from Node’s built‑in crypto module under an alias (e.g. secureRandomInt) to avoid naming conflicts with the existing randomInt function. Then, inside our exported randomInt helper, we call secureRandomInt(0, 10000000) instead of computing Math.floor(Math.random() * 10000000). This preserves the approximate range and type while making the randomness cryptographically secure. No other functions (getUserIds, createTestClient, etc.) need to change, since they already call randomInt().
Concretely:
- Add an import of
randomIntfrom"crypto"at the top oftestUtils.ts, aliased to avoid clashing with the existing function. - Update the implementation of
export const randomIntto call the imported secure function. - Leave all call sites (
getUserIds,createTestClient) unchanged.
| @@ -1,5 +1,6 @@ | ||
| import { WebPubSubClient } from "@azure/web-pubsub-client"; | ||
| import { ChatClient } from "../src/chatClient.js"; | ||
| import { randomInt as secureRandomInt } from "crypto"; | ||
|
|
||
| // Test configuration | ||
| export const negotiateUrl = "http://localhost:3000/negotiate"; | ||
| @@ -7,7 +8,7 @@ | ||
| export const LONG_TEST_TIMEOUT = 10 * 1000; | ||
|
|
||
| // Helper functions | ||
| export const randomInt = () => Math.floor(Math.random() * 10000000); | ||
| export const randomInt = () => secureRandomInt(0, 10000000); | ||
|
|
||
| export const getUserIds = (count: number): string[] => { | ||
| const userIds: string[] = []; |
1 participant
No description provided.