🛡️ Sentinel: [HIGH] Replace insecure Math.random() with cryptographically secure random values

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-05-04 - [Replaced Insecure Math.random() with Cryptographically Secure Code Generation]
+**Vulnerability:** Weak random number generation (`Math.random()`) was being used for sensitive security mechanisms like generating discount coupons (`BRG-XXXX`) and store credit codes (`CREDIT-XXXX`), which could lead to predictable codes and potential financial loss if guessed by attackers.
+**Learning:** `Math.random()` is not cryptographically secure and should never be used for tokens, passwords, discount codes, or anything that requires unpredictability. The repository requires a secure implementation for tokens.
+**Prevention:** Always use `globalThis.crypto.getRandomValues()` or `crypto.randomUUID()` when generating secure, random values. I added `generateSecureCode(prefix, length)` to `lib/utils.ts` to ensure consistent cryptographic safety.

app/api/bargain/route.ts

@@ -3,6 +3,7 @@ import { bargainModel } from "@/lib/nim";
 import { db, user, coupons, bargainSessions, products, combos } from "@/lib/db";
 import { and, eq, inArray } from "drizzle-orm";
 import { headers } from "next/headers";
+import { generateSecureCode } from "@/lib/utils";
 import { auth } from "@/lib/auth";
 
 export const maxDuration = 30;
@@ -20,12 +21,7 @@ type BargainCartItem = {
 
 // Generate unique coupon code
 function generateCouponCode(): string {
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  let code = "BRG-";
-  for (let i = 0; i < 6; i++) {
-    code += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return code;
+  return generateSecureCode("BRG-", 6);
 }
 
 function calculateCartRuleCap(cartTotal: number, isFirstTimeUser: boolean): number {

lib/actions/admin.ts

@@ -5,6 +5,7 @@ import { products, productVariants, coupons, orders, orderItems } from "@/lib/db
 import { requireAdmin } from "@/lib/auth-server";
 import { eq, desc, sql, and, gte } from "drizzle-orm";
 import { revalidatePath } from "next/cache";
+import { generateSecureCode } from "@/lib/utils";
 
 // ============================================
 // PRODUCT ACTIONS
@@ -567,11 +568,7 @@ export async function issueStoreCredit(data: IssueStoreCreditInput) {
   const creditAmount = Math.round(data.refundAmount * bonusMultiplier);
 
   // Generate unique store credit code
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  let code = "CREDIT-";
-  for (let i = 0; i < 8; i++) {
-    code += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
+  const code = generateSecureCode("CREDIT-", 8);
 
   // Set validity (30-60 days)
   const validityDays = Math.min(Math.max(data.validityDays || 30, 30), 60);

lib/cart-context.tsx

@@ -1,6 +1,7 @@
 "use client"
 
 import { createContext, useContext, useState, useEffect, ReactNode } from "react"
+import { generateSecureCode } from "@/lib/utils"
 
 export interface CartItem {
     id: string
@@ -80,7 +81,7 @@ export function CartProvider({ children }: { children: ReactNode }) {
     }
 
     const addCombo: CartContextType["addCombo"] = (combo) => {
-        const comboGroupId = `combo-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`
+        const comboGroupId = `combo-${Date.now()}-${generateSecureCode("", 6).toLowerCase()}`
         setItems((prev) => [
             ...prev,
             ...combo.items.map((item) => ({

lib/utils.ts

@@ -4,3 +4,14 @@ import { twMerge } from "tailwind-merge"
 export function cn(...inputs: ClassValue[]) {
   return twMerge(clsx(inputs))
 }
+
+export function generateSecureCode(prefix: string, length: number): string {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  let code = prefix;
+  const randomValues = new Uint32Array(length);
+  crypto.getRandomValues(randomValues);
+  for (let i = 0; i < length; i++) {
+    code += chars[randomValues[i] % chars.length];
+  }
+  return code;
+}