-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove crypto.randomUUID
dependency in favor of a custom function
#1016
Conversation
crypto.randomUUID
dependency in favor of a custom function
@@ -33,7 +33,7 @@ export async function installAsset( | |||
const assetNameGuess = zipFileName.replace(/\.zip$/, ''); | |||
|
|||
const wpContent = joinPaths(await playground.documentRoot, 'wp-content'); | |||
const tmpDir = joinPaths(wpContent, crypto.randomUUID()); | |||
const tmpDir = joinPaths(wpContent, randomString(46)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[ Question ] Why we increased the characters we are using in comparison with UUID?
UUID has 36 + 4 characters instead of 46.
Can we change that to be 40 instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the correction. UUID actually is 36 characters long. Example 'd6c556d6-32b8-4bdf-b338-20a16e9860aa'
.
A string containing a randomly generated, 36 character long v4 UUID.
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/randomUUID
I added a default length of 36 to randomString
function.
Thank you @sejas! One caveat would be that |
@adamziel, Right!, I improved |
While I understand that the Playground has its own limited risk for security, I'm a bit surprised we removed a cryptographically-secure source of randomness in favor of one without that. Did we perform an audit to ensure that we don't need better randomness in the app? If all we're doing is creating a temporary filename for an in-memory database it seems harmless, but if we're using this for anything related to sensitive content then we may want to ensure we limit the use of this custom generator and warn people that it provides no cryptographic value. |
@dmsnell I agree. This PR is strictly about creating temporary files with random names, not cryptographic security. For anything security related we’ll still need to use crypto. |
What is this PR doing?
crypto
to Polyfills improving Blueprint compatibility for Node #1000randomString
fromremote
package to@php-wasm/util
randomFilename
crypto.randomUUID
withrandomFilename()
What problem is it solving?
crypto
is a library that is available, but needs to be imported on node apps.How is the problem addressed?
It replaces the function that generates a random value with our custom library
Testing Instructions