Skip to content

Switches the Math.random in password_gen.js to a more cryptographically secure method. #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LaserBread merged 1 commit into from
Jan 9, 2026
Merged

Switches the Math.random in password_gen.js to a more cryptographically secure method. #374

LaserBread merged 1 commit into from
Jan 9, 2026

Conversation

@LaserBread
Copy link
Contributor

@LaserBread LaserBread commented Nov 23, 2025

Description

Resolves a security vulnerability CodeQL found in our core/lib/password_gen.js file by using the crypto library instead of the less cryptographically secure Math.random.

Fixes a connected CodeQL vulnerability

Checklist:

Before you submit your Pull Request, please make sure you have completed the following tasks:

  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • My changes generate no new warnings.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • Any dependent changes have been merged and published in downstream modules.
  • I have tagged my PR with the appropriate label(s).

@LaserBread LaserBread requested a review from a team as a code owner November 23, 2025 10:27
@LaserBread LaserBread added security Investigating or resolving a potential security issue javascript Pull requests that update javascript code labels Nov 23, 2025
@LaserBread LaserBread enabled auto-merge November 23, 2025 10:28
MigrainePanda
MigrainePanda requested changes Nov 27, 2025
View reviewed changes
Copy link
Contributor

@MigrainePanda MigrainePanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add that it fixes security alert #19 (Insecure randomness)?

@github-project-automation github-project-automation bot moved this from Backlog to In Progress in classroom-polling Nov 27, 2025
@LaserBread
Copy link
Contributor Author

LaserBread commented Jan 9, 2026

It is linked in the issue on the security tab.

@LaserBread LaserBread added this pull request to the merge queue Jan 9, 2026
Merged via the queue into OSU-MC:development with commit 63af1bb Jan 9, 2026
8 checks passed
@LaserBread LaserBread deleted the crypt-fix branch January 9, 2026 20:28
@github-project-automation github-project-automation bot moved this from In Progress to Done in classroom-polling Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MigrainePanda MigrainePanda MigrainePanda approved these changes

Assignees

@LaserBread LaserBread

Labels

javascript Pull requests that update javascript code security Investigating or resolving a potential security issue

Projects

classroom-polling
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LaserBread @MigrainePanda