oauth2orize icon indicating copy to clipboard operation
oauth2orize copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Math.random() shouldn't be used

Open FrankHassanabad opened this issue 10 years ago • 3 comments
trafficstars

Math.random() isn't a cryptographically secure random number generating, meaning that people could easily guess the seed by looking at the V8 chrome code and then generate their own tokens. Most people just copy your examples, so having the bearer example use Math.random() within utils might not be a good idea to keep around.

NodeJS has a good crypto random gen that's just as easy to use: https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback

FrankHassanabad avatar Oct 16 '15 17:10 FrankHassanabad

To clarify: Math.random() is not used within the oauth2orize library, so the library has no security issues in this regard.

The examples are just that: examples. Developers should stop and think before copy-n-pasting code. Especially so when doing security work. At some point I'm going to remove the examples from this repo into separate repos, so issues can be filed on them separately.

jaredhanson avatar Oct 16 '15 18:10 jaredhanson

Developers should stop and think before copy-n-pasting code.

The problem is in practice, many don't. It seems like this would be easy to fix by just updating the example to do something which is a little more secure by default.

@FrankHassanabad care to submit a pull request for this?

mreinstein avatar Nov 05 '15 18:11 mreinstein

@FrankHassanabad nevermind I just submitted a PR for this

mreinstein avatar Nov 05 '15 19:11 mreinstein