From e845459034e19e5c4c6c8471ca9d3dcf1a3123a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= <gaston@getunleash.io>
Date: Tue, 2 Apr 2024 16:21:33 +0200
Subject: [PATCH] chore: Better randomness (#6755)

## About the changes
This change is irrelevant as it doesn't pose a security risk, but
there's no reason for us not to use a different type of random
generation for the `sessionId`

**Note:** the magic number 18 was picked because that's the length of
the string we get from `String(Math.random())`

Closes https://github.com/Unleash/unleash/security/code-scanning/68 and
https://github.com/Unleash/unleash/security/code-scanning/69
---
 src/lib/features/frontend-api/create-context.ts       | 7 ++-----
 src/lib/features/frontend-api/frontend-api-service.ts | 7 +++++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/lib/features/frontend-api/create-context.ts b/src/lib/features/frontend-api/create-context.ts
index 683d901941..921ca3f514 100644
--- a/src/lib/features/frontend-api/create-context.ts
+++ b/src/lib/features/frontend-api/create-context.ts
@@ -1,9 +1,7 @@
 // Copy of https://github.com/Unleash/unleash-proxy/blob/main/src/create-context.ts.
-
-/* eslint-disable prefer-object-spread */
+import crypto from 'crypto';
 import type { Context } from 'unleash-client';
 
-// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
 export function createContext(value: any): Context {
     const {
         appName,
@@ -33,9 +31,8 @@ export function createContext(value: any): Context {
     return cleanContext;
 }
 
-// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
 export const enrichContextWithIp = (query: any, ip: string): Context => {
     query.remoteAddress = query.remoteAddress || ip;
-    query.sessionId = query.sessionId || String(Math.random());
+    query.sessionId = query.sessionId || crypto.randomBytes(18).toString('hex');
     return createContext(query);
 };
diff --git a/src/lib/features/frontend-api/frontend-api-service.ts b/src/lib/features/frontend-api/frontend-api-service.ts
index 6761979938..ceace4dfdc 100644
--- a/src/lib/features/frontend-api/frontend-api-service.ts
+++ b/src/lib/features/frontend-api/frontend-api-service.ts
@@ -1,3 +1,4 @@
+import crypto from 'crypto';
 import type {
     IUnleashConfig,
     IUnleashServices,
@@ -88,7 +89,8 @@ export class FrontendApiService {
     ): Promise<FrontendApiFeatureSchema[]> {
         const client = await this.clientForFrontendApiToken(token);
         const definitions = client.getFeatureToggleDefinitions() || [];
-        const sessionId = context.sessionId || String(Math.random());
+        const sessionId =
+            context.sessionId || crypto.randomBytes(18).toString('hex');
 
         const resultDefinitions = definitions
             .filter((feature) =>
@@ -115,7 +117,8 @@ export class FrontendApiService {
     ): Promise<FrontendApiFeatureSchema[]> {
         const client = await this.newClientForFrontendApiToken(token);
         const definitions = client.getFeatureToggleDefinitions() || [];
-        const sessionId = context.sessionId || String(Math.random());
+        const sessionId =
+            context.sessionId || crypto.randomBytes(18).toString('hex');
 
         const resultDefinitions = definitions
             .filter((feature) => {