Fixes #848 - Use more secure PRNG

Math.random() is not cryptogaphically secure, but the crypto-random-string package provides what is needed with a cryptographically secure pseudo-random number generator.
2019-10-01 21:29:42 -04:00 · 2019-10-01 21:29:42 -04:00 · 054901cb79
parent 4f29f7c3a7
commit 054901cb79
3 changed files with 18834 additions and 10 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -47,6 +47,7 @@
  },
  "dependencies": {
    "@braintree/sanitize-url": "^3.1.0",
+    "crypto-random-string": "^3.0.1",
    "d3": "^5.7.0",
    "dagre-d3-renderer": "^0.5.8",
    "dagre-layout": "^0.8.8",
--- a/src/diagrams/git/gitGraphAst.js
+++ b/src/diagrams/git/gitGraphAst.js
@ -1,4 +1,5 @@
 import _ from 'lodash';
+import randomString from 'crypto-random-string';

 import { logger } from '../../logger';

@ -9,17 +10,11 @@ let curBranch = 'master';
 let direction = 'LR';
 let seq = 0;

-function getRandomInt(min, max) {
-  return Math.floor(Math.random() * (max - min)) + min;
-}
-
 function getId() {
-  const pool = '0123456789abcdef';
-  let id = '';
-  for (let i = 0; i < 7; i++) {
-    id += pool[getRandomInt(0, 16)];
-  }
-  return id;
+  return randomString({
+    length: 7,
+    characters: '0123456789abcdef'
+  });
 }

 function isfastforwardable(currentCommit, otherCommit) {