Closed danielgrad closed 3 months ago
The random number generator used for masking frames is not cryptographically secure:
https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L28 https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L508-L514
This is a security concern (CWE-331), and deviates from RFC 6455 section 10.3:
Clients MUST choose a new masking key for each frame, using an algorithm that cannot be predicted by end applications that provide data. For example, each masking could be drawn from a cryptographically strong random number generator.
This has been fixed in dart:io for over 7 years but it looks like the change never made it here despite the last import being 6 years ago.
dart:io
The random number generator used for masking frames is not cryptographically secure:
https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L28 https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L508-L514
This is a security concern (CWE-331), and deviates from RFC 6455 section 10.3: