This repository has been archived by the owner on Jul 15, 2023. It is now read-only.

new security rule: insecure random (CWE-330) #187

Closed

HamletDRC opened this issue Aug 8, 2016 · 2 comments

Milestone

Member

HamletDRC commented Aug 8, 2016

https://cwe.mitre.org/data/definitions/330.html

https://stackoverflow.com/questions/4083204/secure-random-numbers-in-javascript

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

Member Author

HamletDRC commented Aug 9, 2016

The better alternatives are:

Node.js crypto.randomBytes() - http://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback
window.crypto.getRandomValues() - https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues

HamletDRC changed the title ~~new rule: insecure random (CWE-330)~~ new security rule: insecure random (CWE-330)

HamletDRC added the feature-request label

HamletDRC added this to the 2.0.11 milestone

Member Author

HamletDRC commented Sep 16, 2016

also, you need to avoid node's pseudoRandomBytes
https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js

HamletDRC closed this as completed in

e4a21ac

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.