-
-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-3f99-hvg4-qjwj
* fix double String.fromCharCode * use crypto module if available Co-authored-by: Julian Gruber <[email protected]>
- Loading branch information
1 parent
87c62f2
commit 9596418
Showing
1 changed file
with
6 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9596418
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is this a fix?
This looks like it still falls back to xorshift128+ for the purpose of ssh keys generation?
That... doesn't look like a good idea perhaps.
Why is
Math.random
based code even present there?The environments where there is no way to generate the key in a secure way should fail, and not fall back to a predictable pseudo-random generator.
Note: not considering this confidential, as this is all over Twitter now afaik.
9596418
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a security researcher myself so I'm preferring to relay judgement of this issue to those who are, which has happened in this advisory.
At this point I'm not going to perform any major changes to this library myself. If you want to contribute, would you consider making a docs PR with your concerns, adding a disclaimer to the README?
9596418
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for responding promptly to the security researchers and taking the time to merge this security fix. A good example of how to handle security related bug reports.