Open amodlagu opened 6 years ago
I would add, that overriding String.prototype.seed
and String.prototype.hashCode
is affecting global scope of application, which is also not safe or secure, especially when bundled with different libraries - we might never know if someone else will override it (especially hashCode
)
@piotrl strictly speaking this is an extension not an override. The risk you mention is easy to avoid using a try/finally in your code
@amodlagu you might want to let your WhiteHat team know that Math.random is perfectly secure for non cryptographic usage, so they loosen up their rules
Target: Javascript, version: 4.7
Security vulnerability detected in Javascript library.
In Utils.js, String.prototype.seed = String.prototype.seed || Math.round(Math.random() * Math.pow(2, 32));
We are including the Antlr library to support an online IDE for the formula language in our product. Security team using sentinel WhiteHat reported that Math.random() is not allowed. Would it be possible to replace Math.random with a cryptographically secure random number generator. In the browser, there are window.crypto or window.msCrypto (IE 11). But there could be other crypto libraries as well.
We are planning to make a similar change in the node modules that we are including, but could a fix be provided in the Antlr library as well?