Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-04-10 01:16:39 +02:00
Code Issues Projects Releases Wiki Activity

chore: Better randomness (#6755)

Browse Source 
## About the changes
This change is irrelevant as it doesn't pose a security risk, but
there's no reason for us not to use a different type of random
generation for the `sessionId`

**Note:** the magic number 18 was picked because that's the length of
the string we get from `String(Math.random())`

Closes https://github.com/Unleash/unleash/security/code-scanning/68 and
https://github.com/Unleash/unleash/security/code-scanning/69
This commit is contained in:
Gastón Fournier 2024-04-02 16:21:33 +02:00 committed by GitHub
parent d5b73694fa
commit e845459034
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/lib/features/frontend-api/create-context.ts
View File

@ -1,9 +1,7 @@
// Copy of https://github.com/Unleash/unleash-proxy/blob/main/src/create-context.ts. // Copy of https://github.com/Unleash/unleash-proxy/blob/main/src/create-context.ts.
import crypto from 'crypto';
/* eslint-disable prefer-object-spread */
import type { Context } from 'unleash-client'; import type { Context } from 'unleash-client';
// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
export function createContext(value: any): Context { export function createContext(value: any): Context {
const { const {
appName, appName,
@ -33,9 +31,8 @@ export function createContext(value: any): Context {
return cleanContext; return cleanContext;
} }
// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
export const enrichContextWithIp = (query: any, ip: string): Context => { export const enrichContextWithIp = (query: any, ip: string): Context => {
query.remoteAddress = query.remoteAddress || ip; query.remoteAddress = query.remoteAddress || ip;
query.sessionId = query.sessionId || String(Math.random()); query.sessionId = query.sessionId || crypto.randomBytes(18).toString('hex');
return createContext(query); return createContext(query);
}; };

7
src/lib/features/frontend-api/frontend-api-service.ts
View File

@ -1,3 +1,4 @@
import crypto from 'crypto';
import type { import type {
IUnleashConfig, IUnleashConfig,
IUnleashServices, IUnleashServices,
@ -88,7 +89,8 @@ export class FrontendApiService {
): Promise<FrontendApiFeatureSchema[]> { ): Promise<FrontendApiFeatureSchema[]> {
const client = await this.clientForFrontendApiToken(token); const client = await this.clientForFrontendApiToken(token);
const definitions = client.getFeatureToggleDefinitions() || []; const definitions = client.getFeatureToggleDefinitions() || [];
const sessionId = context.sessionId || String(Math.random()); const sessionId =
context.sessionId || crypto.randomBytes(18).toString('hex');
const resultDefinitions = definitions const resultDefinitions = definitions
.filter((feature) => .filter((feature) =>
@ -115,7 +117,8 @@ export class FrontendApiService {
): Promise<FrontendApiFeatureSchema[]> { ): Promise<FrontendApiFeatureSchema[]> {
const client = await this.newClientForFrontendApiToken(token); const client = await this.newClientForFrontendApiToken(token);
const definitions = client.getFeatureToggleDefinitions() || []; const definitions = client.getFeatureToggleDefinitions() || [];
const sessionId = context.sessionId || String(Math.random()); const sessionId =
context.sessionId || crypto.randomBytes(18).toString('hex');
const resultDefinitions = definitions const resultDefinitions = definitions
.filter((feature) => { .filter((feature) => {