fix(security): Use crypto.getRandomValues instead of Math.random (#…

…40) `Math.random` should not be used for cryptographic purposes.
lnbits · Aug 22, 2024 · c10bb03 · c10bb03
1 parent 409d4d2
commit c10bb03
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/static/js/index.js b/static/js/index.js
@@ -293,26 +293,25 @@ new Vue({
     },
     generateKeys: function () {
       var self = this
-      const genRanHex = size =>
-        [...Array(size)]
-          .map(() => Math.floor(Math.random() * 16).toString(16))
-          .join('')
+      const genRandomHexBytes = size =>
+        crypto.getRandomValues(new Uint8Array(size))
+          .reduce((acc, i) => acc + i.toString(16).padStart(2, '0'), '')
 
       debugcard =
         typeof this.cardDialog.data.card_name === 'string' &&
         this.cardDialog.data.card_name.search('debug') > -1
 
       self.cardDialog.data.k0 = debugcard
         ? '11111111111111111111111111111111'
-        : genRanHex(32)
+        : genRandomHexBytes(16)
 
       self.cardDialog.data.k1 = debugcard
         ? '22222222222222222222222222222222'
-        : genRanHex(32)
+        : genRandomHexBytes(16)
 
       self.cardDialog.data.k2 = debugcard
         ? '33333333333333333333333333333333'
-        : genRanHex(32)
+        : genRandomHexBytes(16)
     },
     closeFormDialog: function () {
       this.cardDialog.data = {}