Use `crypto.randomUUID` instead of using `Math.random` to seed a PRNG for UUIDs (!88464) · Merge requests · GitLab.org / GitLab

Thomas Randolph requested to merge tor/maintenance/uuid-random-iv into master May 24, 2022

What does this MR do and why?

For #360730 (closed)

Why

Please see the linked issue for a deeper discussion of "Why".

In short:

Math.random is unsuitable for true randomness, and while there are currently no security implications, we should avoid it
The browsers that we support all provide crypto.randomUUID, so we should leverage that for fully random UUIDs.

What

This just swaps out the implementation for fully random UUIDs to use the browser-provided crypto.randomUUID.

It also updates the UUID generation code to be more generalized to handle more UUID versions.

Screenshots or screen recordings

N/A, all of this code is backstage.

How to set up and validate locally

Probably just run the tests.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 31, 2022 by Thomas Randolph

Use `crypto.randomUUID` instead of using `Math.random` to seed a PRNG for UUIDs

What does this MR do and why?

Why

What

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports