firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

Don't use Math.random() to generate UUIDs

Open luc122c opened this issue 3 years ago • 2 comments

[REQUIRED] Describe your environment

  • Operating System version: MacOS 12.4
  • Browser version: Firefox Developer 103.0b9
  • Firebase SDK version: 9.9.0
  • Firebase Product: Util (auth, database, storage, etc)

[REQUIRED] Describe the problem

The UUID function that Firebase uses has been 'borrowed' from Stack Overflow and uses Math.random() to generate random numbers. It's well documented that Math.random() is not a good source of randomness anymore; in fact the answer that is linked to has been updated to use Crypto.getRandomValues() instead.

Perhaps this function could be updated/replace to use a more up to date method of calculating UUIDs.

Relevant Code:

Source Code

Further information:

luc122c avatar Jul 21 '22 22:07 luc122c

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Jul 21 '22 22:07 google-oss-bot

Thanks. It looks like Node support for Crypto.getRandomValues() is fairly recent (Node 15) so if we update to it, we'll probably want to make sure we wrap it in a try/catch and fall back to Math.random() as needed.

hsubox76 avatar Jul 25 '22 16:07 hsubox76