[PR #396] [MERGED] fix for code scanning alert no. 4: Insecure randomness #416

New issue

Closed

opened 2026-02-26 12:41:18 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 12:41:18 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/community-scripts/ProxmoxVE-Local/pull/396
Author: @MickLesk
Created: 12/12/2025
Status: ✅ Merged
Merged: 12/12/2025
Merged by: @MickLesk

Base: main ← Head: alert-autofix-4

📝 Commits (1)

a91986d fix for code scanning alert no. 4: Insecure randomness

📊 Changes

1 file changed (+10 additions, -1 deletions)

View changed files

📝 src/app/_components/VersionDisplay.tsx (+10 -1)

📄 Description

Potential fix for https://github.com/community-scripts/ProxmoxVE-Local/security/code-scanning/4

To fix the issue, we need to replace the insecure use of Math.random() with a cryptographically secure random number generator. Since this code runs in the browser (it's a React component and there's no Node-only syntax), we should use the Web Crypto API's crypto.getRandomValues. This can be used to generate secure random bytes and convert them to a random string for session ID use. Specifically, we can generate random bytes (or integers), encode them in base36 or hex, and splice that into the session ID in place of the current usage of Math.random().toString(36).substr(2, 9). We should add a helper function within this file to handle secure random string generation, and update line 423 to use it. No new imports are necessary, as the global crypto object is available in modern browsers.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/community-scripts/ProxmoxVE-Local/pull/396 **Author:** [@MickLesk](https://github.com/MickLesk) **Created:** 12/12/2025 **Status:** ✅ Merged **Merged:** 12/12/2025 **Merged by:** [@MickLesk](https://github.com/MickLesk) **Base:** `main` ← **Head:** `alert-autofix-4` --- ### 📝 Commits (1) - [`a91986d`](https://github.com/community-scripts/ProxmoxVE-Local/commit/a91986db0111507357cb21ddd76842d739632653) fix for code scanning alert no. 4: Insecure randomness ### 📊 Changes **1 file changed** (+10 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/app/_components/VersionDisplay.tsx` (+10 -1) </details> ### 📄 Description Potential fix for [https://github.com/community-scripts/ProxmoxVE-Local/security/code-scanning/4](https://github.com/community-scripts/ProxmoxVE-Local/security/code-scanning/4) To fix the issue, we need to replace the insecure use of `Math.random()` with a cryptographically secure random number generator. Since this code runs in the browser (it's a React component and there's no Node-only syntax), we should use the Web Crypto API's `crypto.getRandomValues`. This can be used to generate secure random bytes and convert them to a random string for session ID use. Specifically, we can generate random bytes (or integers), encode them in base36 or hex, and splice that into the session ID in place of the current usage of `Math.random().toString(36).substr(2, 9)`. We should add a helper function within this file to handle secure random string generation, and update line 423 to use it. No new imports are necessary, as the global `crypto` object is available in modern browsers. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>