Skip to content

Commit

Permalink
Use crypto.randomBytes for ID generation (#235)
Browse files Browse the repository at this point in the history 
* Use crypto.randomBytes for ID generation

Math.random is not cryptographically secure, and IDs generated with it could potentially be predicted. Use crypto.randomBytes instead.
  • Loading branch information
@autopulated @markstos
autopulated authored and markstos committed Oct 12, 2017
1 parent 305afbd commit da829fc
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 6 deletions.
7 changes: 1 addition & 6 deletions lib/passport-saml/saml.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,12 +94,7 @@ SAML.prototype.getCallbackUrl = function (req) {
};

SAML.prototype.generateUniqueID = function () {
var chars = "abcdef0123456789";
var uniqueID = "";
for (var i = 0; i < 20; i++) {
uniqueID += chars.substr(Math.floor((Math.random()*15)), 1);
}
return uniqueID;
return crypto.randomBytes(10).toString('hex');
};

SAML.prototype.generateInstant = function () {
Expand Down
8 changes: 8 additions & 0 deletions test/tests.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit da829fc

Please sign in to comment.