From 70b6674f44174fdd03fbf3c6d2c634b666842119 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Fri, 11 Sep 2020 14:09:54 +0100
Subject: [PATCH] Replace Math.random with crypto.getBytes for session tokens

---
 .../@node-red/editor-api/lib/auth/tokens.js          | 12 ++----------
 .../@node-red/editor-api/lib/editor/comms.js         | 11 ++---------
 .../localfilesystem/projects/git/authServer.js       |  3 ++-
 3 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/packages/node_modules/@node-red/editor-api/lib/auth/tokens.js b/packages/node_modules/@node-red/editor-api/lib/auth/tokens.js
index 6e867d7df..8cfd112d3 100644
--- a/packages/node_modules/@node-red/editor-api/lib/auth/tokens.js
+++ b/packages/node_modules/@node-red/editor-api/lib/auth/tokens.js
@@ -14,15 +14,7 @@
  * limitations under the License.
  **/
 
-function generateToken(length) {
-    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
-    var token = [];
-    for (var i=0;i<length;i++) {
-        token.push(c[Math.floor(Math.random()*c.length)]);
-    }
-    return token.join("");
-}
-
+const crypto = require("crypto");
 
 var storage;
 var sessionExpiryTime
@@ -115,7 +107,7 @@ module.exports = {
     },
     create: function(user,client,scope) {
         return loadSessions().then(function() {
-            var accessToken = generateToken(128);
+            var accessToken = crypto.randomBytes(128).toString('base64');
 
             var accessTokenExpiresAt = Date.now() + (sessionExpiryTime*1000);
 
diff --git a/packages/node_modules/@node-red/editor-api/lib/editor/comms.js b/packages/node_modules/@node-red/editor-api/lib/editor/comms.js
index 84da62a69..386b5f8a8 100644
--- a/packages/node_modules/@node-red/editor-api/lib/editor/comms.js
+++ b/packages/node_modules/@node-red/editor-api/lib/editor/comms.js
@@ -16,6 +16,7 @@
 
 var ws = require("ws");
 var url = require("url");
+const crypto = require("crypto");
 
 var log = require("@node-red/util").log; // TODO: separate module
 var Tokens;
@@ -56,17 +57,9 @@ function handleSessionExpiry(session) {
         }
     })
 }
-function generateSession(length) {
-    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
-    var token = [];
-    for (var i=0;i<length;i++) {
-        token.push(c[Math.floor(Math.random()*c.length)]);
-    }
-    return token.join("");
-}
 
 function CommsConnection(ws, user) {
-    this.session = generateSession(32);
+    this.session = crypto.randomBytes(32).toString('base64');
     this.ws = ws;
     this.stack = [];
     this.user = user;
diff --git a/packages/node_modules/@node-red/runtime/lib/storage/localfilesystem/projects/git/authServer.js b/packages/node_modules/@node-red/runtime/lib/storage/localfilesystem/projects/git/authServer.js
index 95b4eda0c..d5a487273 100644
--- a/packages/node_modules/@node-red/runtime/lib/storage/localfilesystem/projects/git/authServer.js
+++ b/packages/node_modules/@node-red/runtime/lib/storage/localfilesystem/projects/git/authServer.js
@@ -18,9 +18,10 @@ var net = require("net");
 var fs = require("fs-extra");
 var path = require("path");
 var os = require("os");
+const crypto = require("crypto");
 
 function getListenPath() {
-    var seed = (0x100000+Math.random()*0x999999).toString(16);
+    var seed = crypto.randomBytes(8).toString('hex');
     var fn = 'node-red-git-askpass-'+seed+'-sock';
     var listenPath;
     if (process.platform === 'win32') {