Opened 4 years ago

Closed 3 years ago

#14669 closed New Feature (invalid)

Use window.crypto Instead of Math.random

Reported by: patrick5080 Owned by:
Priority: Normal Milestone:
Component: General Version: 4.5.4
Keywords: Cc:

Description

Hello, I have a request please. We are using HP Fortify for our code-base and Fortify reports security vulnerabilities in the ckeditor and lite-includes.js (and the jquery.min.js) files. The lite-includes.js and jquery.min.js files are located under the plugins/lite directory. Is it possible to replace Math.random method with window.cyrpto.random method as Fortify specifies this is a security vulnerability?

Thank you, patrick

Steps to reproduce

  1. View contents of ckeditor.js and lite-includes-min.js file (plugins/lite)
  2. Code is using Math.random() instead of window.crytpo.random()

Other details (browser, OS, CKEditor version, installed plugins)

Change History (1)

comment:1 Changed 3 years ago by Jakub Ś

Resolution: invalid
Status: newclosed

Thank you for the report.

First of all I need to say that just because some program has reported something it doesn't mean its is right.

The program is absolutely right about random - http://stackoverflow.com/questions/5651789/is-math-random-cryptographically-secure. It is not secure.
The "crypto" https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto seems to be supported by all modern browsers.

Based on that I have checked the code and here are my results:

  • the Math.random is used for generating random hashes to prevent caching on images etc. There is no absolutely security threat here.
  • There is also a code responsible for generating CSRF token but from what I have checked it uses window.crypto in the first place and Math.random() * 256 ) only when browser doesn't support window.crypto. This is correct approach because we also need to provide some level of support (a fallback solution) for old browsers. If you however look at the compatibility table you will see that it is very unlikely that someone will have such browser like IE6- or Opera 19-.

To sum up - having few random functions for generating anti-cache hashes is not a security threat.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy