matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-08-06 12:02:40 +03:00
Code Activity

Change randomString et al to be secure

Browse Source 
...and renames them, removing the special lowercase and uppercase
versions and exporting the underlying function instead.

Any apps that use these will either need to take the speed hit from
secure random functions and use the new ones, or write their own
insecure versions.

The lowercase and uppercasde verisons were used exactly once each
in element-web and never in js-sdk itself. The underlying function
is very simple and exporting just this gives more flexibility with
fewer exports.
This commit is contained in:
David Baker
2025-01-16 14:48:36 +00:00
parent bdd4d82cb3
commit 86494c3a96
14 changed files with 80 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/randomstring.ts
View File

@@ -17,9 +17,9 @@ limitations under the License.
import { encodeUnpaddedBase64Url } from "./base64.ts";
const LOWERCASE = "abcdefghijklmnopqrstuvwxyz";
const UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const DIGITS = "0123456789";
export const LOWERCASE = "abcdefghijklmnopqrstuvwxyz";
export const UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
export const DIGITS = "0123456789";
export function secureRandomBase64Url(len: number): string {
const key = new Uint8Array(len);
@@ -28,24 +28,29 @@ export function secureRandomBase64Url(len: number): string {
return encodeUnpaddedBase64Url(key);
}
export function randomString(len: number): string {
return randomStringFrom(len, UPPERCASE + LOWERCASE + DIGITS);
/**
* Generates a random string of uppercase and lowercase letters plus digits using a
* cryptographically secure random number generator.
* @param len The length of the string to generate
* @returns Random string of uppercase and lowercase letters plus digits of length `len`
*/
export function secureRandomString(len: number): string {
return secureRandomStringFrom(len, UPPERCASE + LOWERCASE + DIGITS);
}
export function randomLowercaseString(len: number): string {
return randomStringFrom(len, LOWERCASE);
}
export function randomUppercaseString(len: number): string {
return randomStringFrom(len, UPPERCASE);
}
function randomStringFrom(len: number, chars: string): string {
/**
* Generate a cryptographically secure random string using characters given
* @param len The length of the string to generate
* @param chars The characters to use in the random string.
* @returns Random string of characters of length `len`
*/
export function secureRandomStringFrom(len: number, chars: string): string {
const positions = new Uint32Array(chars.length);
let ret = "";
for (let i = 0; i < len; ++i) {
ret += chars.charAt(Math.floor(Math.random() * chars.length));
crypto.getRandomValues(positions);
for (let i = 0; i < len; i++) {
const currentCharPlace = positions[i % chars.length] % chars.length;
ret += chars[currentCharPlace];
}
return ret;
}