From c74e7f295026e08fe8f6f0f12d14485631511e27 Mon Sep 17 00:00:00 2001 From: Shecker <74537007+byRespect@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:19:42 +0300 Subject: [PATCH] Potential fix for code scanning alert no. 2: Insecure randomness Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/core/src/shared/utils.ts | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/packages/core/src/shared/utils.ts b/packages/core/src/shared/utils.ts index e2868c9..3875e3b 100644 --- a/packages/core/src/shared/utils.ts +++ b/packages/core/src/shared/utils.ts @@ -1,8 +1,32 @@ export type IdFactory = () => string; -/** Mikro ID üretir; time + randomness karışımı. */ -export const createId: IdFactory = () => - `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`; +/** Mikro ID üretir; cryptographically secure random string. */ +export const createId: IdFactory = () => { + // Use crypto.randomUUID if available (Node 14.17+, modern browsers) + if (typeof globalThis.crypto !== 'undefined') { + if (typeof globalThis.crypto.randomUUID === 'function') { + return globalThis.crypto.randomUUID(); + } + // Fallback for browsers without randomUUID + if (typeof globalThis.crypto.getRandomValues === 'function') { + const array = new Uint8Array(16); + globalThis.crypto.getRandomValues(array); + return Array.from(array, b => b.toString(16).padStart(2, "0")).join(""); + } + } + // Node.js fallback + try { + // eslint-disable-next-line @typescript-eslint/no-var-requires + const nodeCrypto = require("crypto"); + if (typeof nodeCrypto.randomUUID === "function") { + return nodeCrypto.randomUUID(); + } + return nodeCrypto.randomBytes(16).toString("hex"); + } catch (e) { + // As a last very-resilient fallback, still use Math.random, but this should never be hit + return `${Date.now()}-fallback-${Math.random().toString(36).slice(2, 12)}`; + } +}; /** ISO tarih string'i döndürür; testlerde deterministik değildir. */ export const nowIso = () => new Date().toISOString();