From f230ea7fea621555ba121d7a892c15c80f1c86e9 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Tue, 12 Jan 2021 17:23:40 +0100 Subject: [PATCH] generate cryptographically secure state token --- changelog/unreleased/generate-secure-state.md | 7 +++++++ konnectd/ui/src/utils.js | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/generate-secure-state.md diff --git a/changelog/unreleased/generate-secure-state.md b/changelog/unreleased/generate-secure-state.md new file mode 100644 index 00000000000..9fb545464ad --- /dev/null +++ b/changelog/unreleased/generate-secure-state.md @@ -0,0 +1,7 @@ +Change: generate cryptographically secure state token + +Replaced Math.random with a cryptographically secure way to generate the oidc state token using the javascript crypto api. + +https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues +https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random +https://github.com/owncloud/ocis/pull/1203 diff --git a/konnectd/ui/src/utils.js b/konnectd/ui/src/utils.js index 297e333086d..cdb9d65fa95 100644 --- a/konnectd/ui/src/utils.js +++ b/konnectd/ui/src/utils.js @@ -1,5 +1,9 @@ export function withClientRequestState(obj) { - obj.state = Math.random().toString(36).substring(7); + // Generate a 16 byte random token + const values = new Uint8Array(16); + crypto.getRandomValues(values); + // Convert the 16 byte to a hex string and assign to the state attribute + obj.state = Array.prototype.map.call(values, x => x.toString(16)).join(''); return obj; }