From 10f9cb2a08fcf583676ce36b4c26201a7fca63a3 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Fri, 26 Aug 2022 00:41:55 +0200
Subject: [PATCH] Replace password generation with web-crypto API

in order to remove insecure RNG provided in `Math.random()`

closes #64

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 src/app.vue | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/app.vue b/src/app.vue
index 5286ead..eecb07c 100644
--- a/src/app.vue
+++ b/src/app.vue
@@ -168,6 +168,9 @@
 import axios from 'axios'
 import AES from 'gibberish-aes/src/gibberish-aes'
 
+const passwordCharset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+const passwordLength = 20
+
 export default {
   name: 'App',
 
@@ -212,8 +215,9 @@ export default {
   methods: {
     // createSecret executes the secret creation after encrypting the secret
     createSecret() {
-      this.securePassword = Math.random().toString(36)
-        .substring(2)
+      this.securePassword = [...window.crypto.getRandomValues(new Uint8Array(passwordLength))]
+        .map(n => passwordCharset[n % passwordCharset.length])
+        .join('')
       const secret = AES.enc(this.secret, this.securePassword)
 
       axios.post('api/create', { secret })