Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use crypto.randomBytes for ID generation #235

Merged
merged 2 commits into from
Oct 12, 2017

Conversation

autopulated
Copy link
Contributor

Math.random is not cryptographically secure, and IDs generated with it could potentially be predicted. Use crypto.randomBytes instead.

I kept the length of the generated ID the same, but it might also be worth increasing it if that's OK everywhere this function is used, as 20 hex chars is only an 80 bit ID, for which collisions could conceivably occur with a realistic number of stored IDs.

Math.random is not cryptographically secure, and IDs generated with it could potentially be predicted. Use crypto.randomBytes instead.
@markstos
Copy link
Contributor

markstos commented Oct 9, 2017

Thanks for the PR. Could you add a test that confirms that the new strings returned are the same length as the old strings?

@autopulated
Copy link
Contributor Author

added test 👍

@markstos markstos merged commit da829fc into node-saml:master Oct 12, 2017
@markstos
Copy link
Contributor

Thanks, released. Changelog is here: https://github.com/bergie/passport-saml/releases

cjbarth added a commit to cjbarth/passport-saml that referenced this pull request Sep 10, 2018
…-string-signing

* commit 'da829fc0216ed961ea7cb8a6234df65a60f51114':
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  Drop support for Node versions < 4.
  v0.20.2
cjbarth added a commit to cjbarth/passport-saml that referenced this pull request Sep 10, 2018
…url-params

* commit 'da829fc0216ed961ea7cb8a6234df65a60f51114':
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  Drop support for Node versions < 4.
  v0.20.2
cjbarth added a commit to cjbarth/passport-saml that referenced this pull request Sep 10, 2018
* master: (51 commits)
  start to use the debug module.
  v0.34.0: release
  internal: provide unique failure messages for invalid signatures. Fixes node-saml#146
  package.json: bump version to 0.33.0
  docs: mention that disableRequestAuthnContext helps with AD FS
  New Feature: allow customizing the name of the strategy.
  bump version to v0.32.1
  README: link to where our Changes are documented.
  Audience validation
  README: fix typo `s/ADSF/ADFS/`
  jshint: fix jshint violation.
  v0.31.0 release
  README: update link description for ADFS docs.
  Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242)
  Support multiple and dynamic signing certificates (node-saml#218)
  v0.30.0
  Ignore .tern-port files
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  ...

# Conflicts:
#	README.md
#	test/samlTests.js
#	test/tests.js
cjbarth added a commit to cjbarth/passport-saml that referenced this pull request Sep 10, 2018
* master: (51 commits)
  start to use the debug module.
  v0.34.0: release
  internal: provide unique failure messages for invalid signatures. Fixes node-saml#146
  package.json: bump version to 0.33.0
  docs: mention that disableRequestAuthnContext helps with AD FS
  New Feature: allow customizing the name of the strategy.
  bump version to v0.32.1
  README: link to where our Changes are documented.
  Audience validation
  README: fix typo `s/ADSF/ADFS/`
  jshint: fix jshint violation.
  v0.31.0 release
  README: update link description for ADFS docs.
  Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242)
  Support multiple and dynamic signing certificates (node-saml#218)
  v0.30.0
  Ignore .tern-port files
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  ...

# Conflicts:
#	README.md
#	test/samlTests.js
cjbarth added a commit to cjbarth/passport-saml that referenced this pull request Sep 11, 2018
…-authn-context

* commit 'da829fc0216ed961ea7cb8a6234df65a60f51114':
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  Drop support for Node versions < 4.
  v0.20.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants