frodovdr
/
node-red
mirror of https://github.com/node-red/node-red.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Replace Math.random with crypto.getBytes for session tokens

This commit is contained in:
Nick O'Leary 2020-09-11 14:09:54 +01:00
parent baffe4861c
commit 70b6674f44
No known key found for this signature in database
GPG Key ID: 4F2157149161A6C9
3 changed files with 6 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
packages/node_modules/@node-red/editor-api/lib/auth/tokens.js vendored
View File

@ -14,15 +14,7 @@
* limitations under the License. * limitations under the License.
**/ **/
function generateToken(length) { const crypto = require("crypto");
var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
var token = [];
for (var i=0;i<length;i++) {
token.push(c[Math.floor(Math.random()*c.length)]);
}
return token.join("");
}
var storage; var storage;
var sessionExpiryTime var sessionExpiryTime
@ -115,7 +107,7 @@ module.exports = {
}, },
create: function(user,client,scope) { create: function(user,client,scope) {
return loadSessions().then(function() { return loadSessions().then(function() {
var accessToken = generateToken(128); var accessToken = crypto.randomBytes(128).toString('base64');
var accessTokenExpiresAt = Date.now() + (sessionExpiryTime*1000); var accessTokenExpiresAt = Date.now() + (sessionExpiryTime*1000);

11
packages/node_modules/@node-red/editor-api/lib/editor/comms.js vendored
View File

@ -16,6 +16,7 @@
var ws = require("ws"); var ws = require("ws");
var url = require("url"); var url = require("url");
const crypto = require("crypto");
var log = require("@node-red/util").log; // TODO: separate module var log = require("@node-red/util").log; // TODO: separate module
var Tokens; var Tokens;
@ -56,17 +57,9 @@ function handleSessionExpiry(session) {
} }
}) })
} }
function generateSession(length) {
var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
var token = [];
for (var i=0;i<length;i++) {
token.push(c[Math.floor(Math.random()*c.length)]);
}
return token.join("");
}
function CommsConnection(ws, user) { function CommsConnection(ws, user) {
this.session = generateSession(32); this.session = crypto.randomBytes(32).toString('base64');
this.ws = ws; this.ws = ws;
this.stack = []; this.stack = [];
this.user = user; this.user = user;

3
packages/node_modules/@node-red/runtime/lib/storage/localfilesystem/projects/git/authServer.js vendored
View File

@ -18,9 +18,10 @@ var net = require("net");
var fs = require("fs-extra"); var fs = require("fs-extra");
var path = require("path"); var path = require("path");
var os = require("os"); var os = require("os");
const crypto = require("crypto");
function getListenPath() { function getListenPath() {
var seed = (0x100000+Math.random()*0x999999).toString(16); var seed = crypto.randomBytes(8).toString('hex');
var fn = 'node-red-git-askpass-'+seed+'-sock'; var fn = 'node-red-git-askpass-'+seed+'-sock';
var listenPath; var listenPath;
if (process.platform === 'win32') { if (process.platform === 'win32') {