bruno icon indicating copy to clipboard operation
bruno copied to clipboard

Published 20 hours ago verified publisher icon usebruno

Can't use node crypto in scripts

Open zfil opened this issue 1 year ago • 5 comments

I have checked the following:

  • [X] I use the newest version of bruno.
  • [X] I've searched existing issues and found nothing related to my issue.

Describe the bug

As explained in the documentation and in some issues I've added the following whitelist in the json file:

  "scripts": {
    "moduleWhitelist": [
      "crypto"
    ],
    "filesystemAccess": {
      "allow": true
    }
  },

However when I try to use in scripts for instance:

const crypto = require('crypto');
bru.setVar('uuid',crypto.randomUUID());

I get the following error message:

Error invoking remote method 'send-http-request': Error: Error: Cannot find module crypto

.bru file to reproduce the bug

No response

Screenshots/Live demo link

image

zfil avatar Sep 02 '24 16:09 zfil

Bruno comes with crypto-js already included.

If you just want to create a UUID though then you can use uuid which is also already included as well and does not require installing additional packages.

const { v4: uuidv4 } = require('uuid');
console.log(uuidv4())

crypto has been deprecated and should no longer be used.

brutaldev avatar Sep 04 '24 09:09 brutaldev

crypto has been deprecated and should no longer be used.

Hi @brutaldev you must be a bit confused ...

crypto-js is discontinued as clearly indicated. image

So I want to use the native node crypto package, and as explained here #1849 it needs to be imported using 'crypto' instead of 'node:crypto'.

Looks like there is a regression in latest bruno builds?

zfil avatar Sep 04 '24 09:09 zfil

Safe mode is even using a vulnerable version of crypto-js: crypto-js-3.1.9-1 Not really sure what the plan there is, but switching to node:crypto should be the better choice for all environments.

alexkunde avatar Sep 17 '24 09:09 alexkunde

I would like to suggest the removal of crypto-js and moving to node:crypto. An unmaintained crypto package is not good imo.

tolgap avatar Sep 18 '24 12:09 tolgap

Found this issue while searching for an error. ☺️👋 If moving to node:crypto, can we double-check that this works?

Pre-request:

const { webcrypto } = require('crypto');
if (!globalThis.crypto) globalThis.crypto = webcrypto;

const privKey = new Uint8Array(32);
crypto.getRandomValues(privKey);

In Bruno v1.30.1 I'm seeing:

Error invoking remote method 'send-http-request': TypeMismatchError: The data argument must be an integer-type TypedArray

Some searches seem to indicate that JS Uint8Array might be incompatible with Node Uint8Array. Not sure how to fix it yet (js newb).

petedoyle avatar Sep 27 '24 19:09 petedoyle

If anyone stumbles here, just don't use safe mode. Crypto will work just fine

umarrasydan avatar Jul 03 '25 07:07 umarrasydan

Are there reason it is not available in safe mode, or it just needs to be added to a allow-list of sorts?

lapo-luchini avatar Jul 03 '25 07:07 lapo-luchini

Safe mode is even using a vulnerable version of crypto-js: crypto-js-3.1.9-1

@alexkunde We have fixed this in PR #5566. We now use the latest version v4.2.0 This will go out in our upcoming release v2.12.0 set to go on 23rd Sep 2025

Since crypto-js has been discontinued, I've created a ticket #5569 to track adding support for Noble in the future

We won't be able to support NodeJS's crypto module in Safe Mode in Bruno. The javascript runtime in Safe Mode uses QuickJS which does not have access to NodeJS api's If you want to use NodeJS crypto module const crypto = require("crypto"), please switch to Developer Mode

helloanoop avatar Sep 16 '25 11:09 helloanoop