Skip to content

Release 20251015 #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Release 20251015 #22

wants to merge 11 commits into from

Conversation

@Anders-planck
Copy link
Collaborator

@Anders-planck Anders-planck commented Oct 15, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 15, 2025
View reviewed changes
src/core/adapter-loader.ts

const mtlsBaseUrl = forcePort444 && !baseUrl.includes(':444')
? (baseUrl.includes(':444')
? baseUrl.replace(':444', ':444')

Check warning

Code scanning / CodeQL

Replacement of a substring with itself Medium

This replaces ':444' with itself.

Copilot Autofix

AI 28 days ago

The fix is to remove the redundant replace operation and simply return baseUrl in this else-branch.
Specifically, in createACubeMTLSConfig, lines 93–97 build the mtlsBaseUrl.

  • Remove the unnecessary baseUrl.replace(':444', ':444') call (line 95).
  • Let the branch simply refer to baseUrl when ':444' is already present.
  • No further imports or helper methods are necessary.
    Only this region in the file src/core/adapter-loader.ts needs to change.
Suggested changeset 1
src/core/adapter-loader.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/core/adapter-loader.ts b/src/core/adapter-loader.ts
--- a/src/core/adapter-loader.ts
+++ b/src/core/adapter-loader.ts
@@ -92,7 +92,7 @@
   
   const mtlsBaseUrl = forcePort444 && !baseUrl.includes(':444')
     ? (baseUrl.includes(':444')
-        ? baseUrl.replace(':444', ':444')
+        ? baseUrl
         : baseUrl.replace(/:\d+$/, '') + ':444')
     : baseUrl;
 
EOF
@@ -92,7 +92,7 @@

const mtlsBaseUrl = forcePort444 && !baseUrl.includes(':444')
? (baseUrl.includes(':444')
? baseUrl.replace(':444', ':444')
? baseUrl
: baseUrl.replace(/:\d+$/, '') + ':444')
: baseUrl;

Copilot is powered by AI and may make mistakes. Always verify output.
src/react/hooks/use-receipts.ts

// Generate temporary receipt data for UI
const tempReceipt: ReceiptOutput = {
uuid: operationId,

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix

AI 28 days ago

To fix the insecure randomness, update the ID generation logic in OperationQueue.generateId() (in src/offline/queue.ts) to use a cryptographically secure random generator. For browser context, use window.crypto.getRandomValues; for Node context, use require('crypto').randomUUID(). Given the presence of .substr(2, 9) (implying legacy support), but if unique string IDs are desired, use a securely generated UUID or a securely generated random string. Also, add any required imports (import { randomUUID } from 'crypto'; for Node.js).

Steps:

  • In src/offline/queue.ts, replace the use of Math.random() in generateId() with a call to randomUUID() (if Node.js >= v14.17, recommended) or a securely generated random value.
  • If using randomUUID(), prepend the timestamp as currently done, or use only the UUID if timestamp isn't strictly needed or can be sanitized.
  • Add required imports if not already present.

No other files require modification for this fix.

Suggested changeset 1
src/offline/queue.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/offline/queue.ts b/src/offline/queue.ts
--- a/src/offline/queue.ts
+++ b/src/offline/queue.ts
@@ -1,4 +1,5 @@
 import { IStorage } from '../adapters';
+import { randomUUID } from 'crypto';
 import { 
   QueuedOperation, 
   OperationType, 
@@ -296,7 +297,8 @@
    * Generate unique ID for operations
    */
   private generateId(): string {
-    return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+    // Use a cryptographically secure random UUID as the operation ID (with timestamp as prefix for legacy reasons)
+    return `${Date.now()}-${randomUUID()}`;
   }
 
   /**
EOF
@@ -1,4 +1,5 @@
import { IStorage } from '../adapters';
import { randomUUID } from 'crypto';
import {
QueuedOperation,
OperationType,
@@ -296,7 +297,8 @@
* Generate unique ID for operations
*/
private generateId(): string {
return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
// Use a cryptographically secure random UUID as the operation ID (with timestamp as prefix for legacy reasons)
return `${Date.now()}-${randomUUID()}`;
}

/**
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Anders-planck