From 13cf6891acf99e55fdb10bb769f651df5c19eb44 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 21:58:23 +0200 Subject: [PATCH 01/11] cryptographically strong secret generation generate TOTP secret using WebCrypto API (see https://github.com/louislam/uptime-kuma/issues/640) --- src/util.ts | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/util.ts b/src/util.ts index 6e911998..22279a7d 100644 --- a/src/util.ts +++ b/src/util.ts @@ -114,12 +114,21 @@ export function getRandomInt(min: number, max: number) { return Math.floor(Math.random() * (max - min + 1)) + min; } +export function getCryptoRandomInt(min, max) { + const randomBuffer = new Uint32Array(1); + crypto.getRandomValues(randomBuffer); + let randomNumber = randomBuffer[0] / (0xffffffff + 1); + min = Math.ceil(min); + max = Math.floor(max); + return Math.floor(randomNumber * (max - min + 1)) + min; +} + export function genSecret(length = 64) { let secret = ""; - let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - let charsLength = chars.length; - for ( let i = 0; i < length; i++ ) { - secret += chars.charAt(Math.floor(Math.random() * charsLength)); + const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + const charsLength = chars.length; + for ( let i = 0; i < 64; i++ ) { + secret += chars.charAt(getCryptoRandomInt(0, charsLength)); } return secret; } From 075535ba460a9f20439748b72d6f48d88a79a8e8 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 21:59:23 +0200 Subject: [PATCH 02/11] Update util.ts --- src/util.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 22279a7d..6fdfc3be 100644 --- a/src/util.ts +++ b/src/util.ts @@ -127,7 +127,7 @@ export function genSecret(length = 64) { let secret = ""; const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; const charsLength = chars.length; - for ( let i = 0; i < 64; i++ ) { + for ( let i = 0; i < length; i++ ) { secret += chars.charAt(getCryptoRandomInt(0, charsLength)); } return secret; From e127e168b6b6295b38dc32e722466a61f94fa4cb Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 22:15:42 +0200 Subject: [PATCH 03/11] typed parameters --- src/util.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 6fdfc3be..8ba53738 100644 --- a/src/util.ts +++ b/src/util.ts @@ -114,7 +114,7 @@ export function getRandomInt(min: number, max: number) { return Math.floor(Math.random() * (max - min + 1)) + min; } -export function getCryptoRandomInt(min, max) { +export function getCryptoRandomInt(min; number, max: number) { const randomBuffer = new Uint32Array(1); crypto.getRandomValues(randomBuffer); let randomNumber = randomBuffer[0] / (0xffffffff + 1); From 06310423f4483164b0e43df30eb8f92ec2ca61a9 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 22:19:10 +0200 Subject: [PATCH 04/11] typo --- src/util.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 8ba53738..6f058eed 100644 --- a/src/util.ts +++ b/src/util.ts @@ -114,7 +114,7 @@ export function getRandomInt(min: number, max: number) { return Math.floor(Math.random() * (max - min + 1)) + min; } -export function getCryptoRandomInt(min; number, max: number) { +export function getCryptoRandomInt(min: number, max: number) { const randomBuffer = new Uint32Array(1); crypto.getRandomValues(randomBuffer); let randomNumber = randomBuffer[0] / (0xffffffff + 1); From 11bcd1e2ed06651b8cf07e8df76ef20e5a6bca6a Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 22:55:32 +0200 Subject: [PATCH 05/11] const --- src/util.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util.ts b/src/util.ts index 6f058eed..205589fe 100644 --- a/src/util.ts +++ b/src/util.ts @@ -117,7 +117,7 @@ export function getRandomInt(min: number, max: number) { export function getCryptoRandomInt(min: number, max: number) { const randomBuffer = new Uint32Array(1); crypto.getRandomValues(randomBuffer); - let randomNumber = randomBuffer[0] / (0xffffffff + 1); + const randomNumber = randomBuffer[0] / (0xffffffff + 1); min = Math.ceil(min); max = Math.floor(max); return Math.floor(randomNumber * (max - min + 1)) + min; From 0e6d7694cebcc0ec752ebab701a895890a9363ef Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Sun, 10 Oct 2021 23:54:45 +0200 Subject: [PATCH 06/11] Update util.js --- src/util.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/util.js b/src/util.js index 7fb50c5b..265ed51d 100644 --- a/src/util.js +++ b/src/util.js @@ -102,12 +102,21 @@ function getRandomInt(min, max) { return Math.floor(Math.random() * (max - min + 1)) + min; } exports.getRandomInt = getRandomInt; +function getCryptoRandomInt(min, max) { + const randomBuffer = new Uint32Array(1); + crypto.getRandomValues(randomBuffer); + const randomNumber = randomBuffer[0] / (0xffffffff + 1); + min = Math.ceil(min); + max = Math.floor(max); + return Math.floor(randomNumber * (max - min + 1)) + min; +} +exports.getCryptoRandomInt = getCryptoRandomInt; function genSecret(length = 64) { let secret = ""; - let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - let charsLength = chars.length; - for (let i = 0; i < length; i++) { - secret += chars.charAt(Math.floor(Math.random() * charsLength)); + const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + const charsLength = chars.length; + for ( let i = 0; i < length; i++ ) { + secret += chars.charAt(getCryptoRandomInt(0, charsLength)); } return secret; } From dc1de50a02d7f4ea3205f179b60495be23403692 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Mon, 11 Oct 2021 01:18:33 +0200 Subject: [PATCH 07/11] fix for max-inclusive --- src/util.js | 254 ++++++++++++++++++++++++++-------------------------- src/util.ts | 2 +- 2 files changed, 128 insertions(+), 128 deletions(-) diff --git a/src/util.js b/src/util.js index 265ed51d..8135f2a0 100644 --- a/src/util.js +++ b/src/util.js @@ -1,127 +1,127 @@ -"use strict"; -// Common Util for frontend and backend -// -// DOT NOT MODIFY util.js! -// Need to run "tsc" to compile if there are any changes. -// -// Backend uses the compiled file util.js -// Frontend uses util.ts -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getMonitorRelativeURL = exports.genSecret = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; -const _dayjs = require("dayjs"); -const dayjs = _dayjs; -exports.isDev = process.env.NODE_ENV === "development"; -exports.appName = "Uptime Kuma"; -exports.DOWN = 0; -exports.UP = 1; -exports.PENDING = 2; -exports.STATUS_PAGE_ALL_DOWN = 0; -exports.STATUS_PAGE_ALL_UP = 1; -exports.STATUS_PAGE_PARTIAL_DOWN = 2; -function flipStatus(s) { - if (s === exports.UP) { - return exports.DOWN; - } - if (s === exports.DOWN) { - return exports.UP; - } - return s; -} -exports.flipStatus = flipStatus; -function sleep(ms) { - return new Promise(resolve => setTimeout(resolve, ms)); -} -exports.sleep = sleep; -/** - * PHP's ucfirst - * @param str - */ -function ucfirst(str) { - if (!str) { - return str; - } - const firstLetter = str.substr(0, 1); - return firstLetter.toUpperCase() + str.substr(1); -} -exports.ucfirst = ucfirst; -function debug(msg) { - if (exports.isDev) { - console.log(msg); - } -} -exports.debug = debug; -function polyfill() { - /** - * String.prototype.replaceAll() polyfill - * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ - * @author Chris Ferdinandi - * @license MIT - */ - if (!String.prototype.replaceAll) { - String.prototype.replaceAll = function (str, newStr) { - // If a regex pattern - if (Object.prototype.toString.call(str).toLowerCase() === "[object regexp]") { - return this.replace(str, newStr); - } - // If a string - return this.replace(new RegExp(str, "g"), newStr); - }; - } -} -exports.polyfill = polyfill; -class TimeLogger { - constructor() { - this.startTime = dayjs().valueOf(); - } - print(name) { - if (exports.isDev && process.env.TIMELOGGER === "1") { - console.log(name + ": " + (dayjs().valueOf() - this.startTime) + "ms"); - } - } -} -exports.TimeLogger = TimeLogger; -/** - * Returns a random number between min (inclusive) and max (exclusive) - */ -function getRandomArbitrary(min, max) { - return Math.random() * (max - min) + min; -} -exports.getRandomArbitrary = getRandomArbitrary; -/** - * From: https://stackoverflow.com/questions/1527803/generating-random-whole-numbers-in-javascript-in-a-specific-range - * - * Returns a random integer between min (inclusive) and max (inclusive). - * The value is no lower than min (or the next integer greater than min - * if min isn't an integer) and no greater than max (or the next integer - * lower than max if max isn't an integer). - * Using Math.round() will give you a non-uniform distribution! - */ -function getRandomInt(min, max) { - min = Math.ceil(min); - max = Math.floor(max); - return Math.floor(Math.random() * (max - min + 1)) + min; -} -exports.getRandomInt = getRandomInt; -function getCryptoRandomInt(min, max) { - const randomBuffer = new Uint32Array(1); - crypto.getRandomValues(randomBuffer); - const randomNumber = randomBuffer[0] / (0xffffffff + 1); - min = Math.ceil(min); - max = Math.floor(max); - return Math.floor(randomNumber * (max - min + 1)) + min; -} -exports.getCryptoRandomInt = getCryptoRandomInt; -function genSecret(length = 64) { - let secret = ""; - const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - const charsLength = chars.length; - for ( let i = 0; i < length; i++ ) { - secret += chars.charAt(getCryptoRandomInt(0, charsLength)); - } - return secret; -} -exports.genSecret = genSecret; -function getMonitorRelativeURL(id) { - return "/dashboard/" + id; -} -exports.getMonitorRelativeURL = getMonitorRelativeURL; +"use strict"; +// Common Util for frontend and backend +// +// DOT NOT MODIFY util.js! +// Need to run "tsc" to compile if there are any changes. +// +// Backend uses the compiled file util.js +// Frontend uses util.ts +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getMonitorRelativeURL = exports.genSecret = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; +const _dayjs = require("dayjs"); +const dayjs = _dayjs; +exports.isDev = process.env.NODE_ENV === "development"; +exports.appName = "Uptime Kuma"; +exports.DOWN = 0; +exports.UP = 1; +exports.PENDING = 2; +exports.STATUS_PAGE_ALL_DOWN = 0; +exports.STATUS_PAGE_ALL_UP = 1; +exports.STATUS_PAGE_PARTIAL_DOWN = 2; +function flipStatus(s) { + if (s === exports.UP) { + return exports.DOWN; + } + if (s === exports.DOWN) { + return exports.UP; + } + return s; +} +exports.flipStatus = flipStatus; +function sleep(ms) { + return new Promise(resolve => setTimeout(resolve, ms)); +} +exports.sleep = sleep; +/** + * PHP's ucfirst + * @param str + */ +function ucfirst(str) { + if (!str) { + return str; + } + const firstLetter = str.substr(0, 1); + return firstLetter.toUpperCase() + str.substr(1); +} +exports.ucfirst = ucfirst; +function debug(msg) { + if (exports.isDev) { + console.log(msg); + } +} +exports.debug = debug; +function polyfill() { + /** + * String.prototype.replaceAll() polyfill + * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ + * @author Chris Ferdinandi + * @license MIT + */ + if (!String.prototype.replaceAll) { + String.prototype.replaceAll = function (str, newStr) { + // If a regex pattern + if (Object.prototype.toString.call(str).toLowerCase() === "[object regexp]") { + return this.replace(str, newStr); + } + // If a string + return this.replace(new RegExp(str, "g"), newStr); + }; + } +} +exports.polyfill = polyfill; +class TimeLogger { + constructor() { + this.startTime = dayjs().valueOf(); + } + print(name) { + if (exports.isDev && process.env.TIMELOGGER === "1") { + console.log(name + ": " + (dayjs().valueOf() - this.startTime) + "ms"); + } + } +} +exports.TimeLogger = TimeLogger; +/** + * Returns a random number between min (inclusive) and max (exclusive) + */ +function getRandomArbitrary(min, max) { + return Math.random() * (max - min) + min; +} +exports.getRandomArbitrary = getRandomArbitrary; +/** + * From: https://stackoverflow.com/questions/1527803/generating-random-whole-numbers-in-javascript-in-a-specific-range + * + * Returns a random integer between min (inclusive) and max (inclusive). + * The value is no lower than min (or the next integer greater than min + * if min isn't an integer) and no greater than max (or the next integer + * lower than max if max isn't an integer). + * Using Math.round() will give you a non-uniform distribution! + */ +function getRandomInt(min, max) { + min = Math.ceil(min); + max = Math.floor(max); + return Math.floor(Math.random() * (max - min + 1)) + min; +} +exports.getRandomInt = getRandomInt; +function getCryptoRandomInt(min, max) { + const randomBuffer = new Uint32Array(1); + crypto.getRandomValues(randomBuffer); + const randomNumber = randomBuffer[0] / (0xffffffff + 1); + min = Math.ceil(min); + max = Math.floor(max); + return Math.floor(randomNumber * (max - min + 1)) + min; +} +exports.getCryptoRandomInt = getCryptoRandomInt; +function genSecret(length = 64) { + let secret = ""; + const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + const charsLength = chars.length; + for ( let i = 0; i < length; i++ ) { + secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1)); + } + return secret; +} +exports.genSecret = genSecret; +function getMonitorRelativeURL(id) { + return "/dashboard/" + id; +} +exports.getMonitorRelativeURL = getMonitorRelativeURL; diff --git a/src/util.ts b/src/util.ts index 205589fe..a1f6f259 100644 --- a/src/util.ts +++ b/src/util.ts @@ -128,7 +128,7 @@ export function genSecret(length = 64) { const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; const charsLength = chars.length; for ( let i = 0; i < length; i++ ) { - secret += chars.charAt(getCryptoRandomInt(0, charsLength)); + secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1)); } return secret; } From 86dcc9bc8fc39faa44949c52ad74d9831dfedfb4 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Wed, 13 Oct 2021 17:34:56 +0200 Subject: [PATCH 08/11] import webcrypto lib --- src/util.js | 1 + src/util.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/src/util.js b/src/util.js index 8135f2a0..b8ee76d9 100644 --- a/src/util.js +++ b/src/util.js @@ -10,6 +10,7 @@ Object.defineProperty(exports, "__esModule", { value: true }); exports.getMonitorRelativeURL = exports.genSecret = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; const _dayjs = require("dayjs"); const dayjs = _dayjs; +const crypto = require("crypto").webcrypto; exports.isDev = process.env.NODE_ENV === "development"; exports.appName = "Uptime Kuma"; exports.DOWN = 0; diff --git a/src/util.ts b/src/util.ts index a1f6f259..259ff6e5 100644 --- a/src/util.ts +++ b/src/util.ts @@ -8,6 +8,7 @@ import * as _dayjs from "dayjs"; const dayjs = _dayjs; +const crypto = require("crypto").webcrypto; export const isDev = process.env.NODE_ENV === "development"; export const appName = "Uptime Kuma"; From 11a1f35cc5cc1743de60b2bc4fba33a0109686eb Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Mon, 18 Oct 2021 01:06:20 +0200 Subject: [PATCH 09/11] independent csprng solution --- src/util.js | 87 +++++++++++++++++++++++++++++++++++++++-------------- src/util.ts | 66 +++++++++++++++++++++++++++++++++++----- 2 files changed, 122 insertions(+), 31 deletions(-) diff --git a/src/util.js b/src/util.js index b8ee76d9..df54cf2e 100644 --- a/src/util.js +++ b/src/util.js @@ -6,11 +6,10 @@ // // Backend uses the compiled file util.js // Frontend uses util.ts -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getMonitorRelativeURL = exports.genSecret = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; -const _dayjs = require("dayjs"); -const dayjs = _dayjs; -const crypto = require("crypto").webcrypto; +exports.__esModule = true; +exports.getMonitorRelativeURL = exports.genSecret = exports.getCryptoRandomInt = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; +var _dayjs = require("dayjs"); +var dayjs = _dayjs; exports.isDev = process.env.NODE_ENV === "development"; exports.appName = "Uptime Kuma"; exports.DOWN = 0; @@ -30,7 +29,7 @@ function flipStatus(s) { } exports.flipStatus = flipStatus; function sleep(ms) { - return new Promise(resolve => setTimeout(resolve, ms)); + return new Promise(function (resolve) { return setTimeout(resolve, ms); }); } exports.sleep = sleep; /** @@ -41,7 +40,7 @@ function ucfirst(str) { if (!str) { return str; } - const firstLetter = str.substr(0, 1); + var firstLetter = str.substr(0, 1); return firstLetter.toUpperCase() + str.substr(1); } exports.ucfirst = ucfirst; @@ -70,16 +69,17 @@ function polyfill() { } } exports.polyfill = polyfill; -class TimeLogger { - constructor() { +var TimeLogger = /** @class */ (function () { + function TimeLogger() { this.startTime = dayjs().valueOf(); } - print(name) { + TimeLogger.prototype.print = function (name) { if (exports.isDev && process.env.TIMELOGGER === "1") { console.log(name + ": " + (dayjs().valueOf() - this.startTime) + "ms"); } - } -} + }; + return TimeLogger; +}()); exports.TimeLogger = TimeLogger; /** * Returns a random number between min (inclusive) and max (exclusive) @@ -103,20 +103,61 @@ function getRandomInt(min, max) { return Math.floor(Math.random() * (max - min + 1)) + min; } exports.getRandomInt = getRandomInt; +/** + * Returns either the NodeJS crypto.randomBytes() function or its + * browser equivalent implemented via window.crypto.getRandomValues() + */ +var getRandomBytes = ((typeof window !== 'undefined' && window.crypto) + // Browsers + ? function () { + return function (numBytes) { + var randomBytes = new Uint8Array(numBytes); + for (var i = 0; i < numBytes; i += 65536) { + window.crypto.getRandomValues(randomBytes.subarray(i, i + Math.min(numBytes - i, 65536))); + } + return randomBytes; + }; + } + // Node + : function () { + return require("crypto").randomBytes; + })(); function getCryptoRandomInt(min, max) { - const randomBuffer = new Uint32Array(1); - crypto.getRandomValues(randomBuffer); - const randomNumber = randomBuffer[0] / (0xffffffff + 1); - min = Math.ceil(min); - max = Math.floor(max); - return Math.floor(randomNumber * (max - min + 1)) + min; + // synchronous version of: https://github.com/joepie91/node-random-number-csprng + var range = max - min; + if (range >= Math.pow(2, 32)) + console.log("Warning! Range is too large."); + var tmpRange = range; + var bitsNeeded = 0; + var bytesNeeded = 0; + var mask = 1; + while (tmpRange > 0) { + if (bitsNeeded % 8 === 0) + bytesNeeded += 1; + bitsNeeded += 1; + mask = mask << 1 | 1; + tmpRange = tmpRange >>> 1; + } + var randomBytes = getRandomBytes(bytesNeeded); + var randomValue = 0; + for (var i = 0; i < bytesNeeded; i++) { + randomValue |= randomBytes[i] << 8 * i; + } + randomValue = randomValue & mask; + if (randomValue <= range) { + return min + randomValue; + } + else { + return getCryptoRandomInt(min, max); + } } exports.getCryptoRandomInt = getCryptoRandomInt; -function genSecret(length = 64) { - let secret = ""; - const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - const charsLength = chars.length; - for ( let i = 0; i < length; i++ ) { +function genSecret(length) { + if (length === void 0) { length = 64; } + var secret = ""; + var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + var charsLength = chars.length; + for (var i = 0; i < length; i++) { secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1)); } return secret; diff --git a/src/util.ts b/src/util.ts index 259ff6e5..633d933e 100644 --- a/src/util.ts +++ b/src/util.ts @@ -8,7 +8,6 @@ import * as _dayjs from "dayjs"; const dayjs = _dayjs; -const crypto = require("crypto").webcrypto; export const isDev = process.env.NODE_ENV === "development"; export const appName = "Uptime Kuma"; @@ -115,13 +114,64 @@ export function getRandomInt(min: number, max: number) { return Math.floor(Math.random() * (max - min + 1)) + min; } -export function getCryptoRandomInt(min: number, max: number) { - const randomBuffer = new Uint32Array(1); - crypto.getRandomValues(randomBuffer); - const randomNumber = randomBuffer[0] / (0xffffffff + 1); - min = Math.ceil(min); - max = Math.floor(max); - return Math.floor(randomNumber * (max - min + 1)) + min; +/** + * Returns either the NodeJS crypto.randomBytes() function or its + * browser equivalent implemented via window.crypto.getRandomValues() + */ +let getRandomBytes = ( + (typeof window !== 'undefined' && window.crypto) + + // Browsers + ? function () { + return (numBytes: number) => { + let randomBytes = new Uint8Array(numBytes); + for (let i = 0; i < numBytes; i += 65536) { + window.crypto.getRandomValues(randomBytes.subarray(i, i + Math.min(numBytes - i, 65536))); + } + return randomBytes; + }; + } + + // Node + : function() { + return require("crypto").randomBytes; + } +)(); + +export function getCryptoRandomInt(min: number, max: number):number { + + // synchronous version of: https://github.com/joepie91/node-random-number-csprng + + const range = max - min + if (range >= Math.pow(2, 32)) + console.log("Warning! Range is too large.") + + let tmpRange = range + let bitsNeeded = 0 + let bytesNeeded = 0 + let mask = 1 + + while (tmpRange > 0) { + if (bitsNeeded % 8 === 0) bytesNeeded += 1 + bitsNeeded += 1 + mask = mask << 1 | 1 + tmpRange = tmpRange >>> 1 + } + + const randomBytes = getRandomBytes(bytesNeeded) + let randomValue = 0 + + for (let i = 0; i < bytesNeeded; i++) { + randomValue |= randomBytes[i] << 8 * i + } + + randomValue = randomValue & mask; + + if (randomValue <= range) { + return min + randomValue + } else { + return getCryptoRandomInt(min, max) + } } export function genSecret(length = 64) { From 23714ab68833cf110947ee2e32481d7f2fc5b906 Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Mon, 18 Oct 2021 17:37:11 +0800 Subject: [PATCH 10/11] genSecret don't need `await` --- server/server.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/server.js b/server/server.js index c4d18869..31f27043 100644 --- a/server/server.js +++ b/server/server.js @@ -321,7 +321,7 @@ exports.entryPage = "dashboard"; ]); if (user.twofa_status == 0) { - let newSecret = await genSecret(); + let newSecret = genSecret(); let encodedSecret = base32.encode(newSecret); // Google authenticator doesn't like equal signs From 300a95d779538af37850d4dc5923b6113246d763 Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Mon, 18 Oct 2021 17:51:40 +0800 Subject: [PATCH 11/11] recompile util.js with tsconfig.json --- src/util.js | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/src/util.js b/src/util.js index 28239efa..b2df7ac7 100644 --- a/src/util.js +++ b/src/util.js @@ -6,10 +6,10 @@ // // Backend uses the compiled file util.js // Frontend uses util.ts -exports.__esModule = true; +Object.defineProperty(exports, "__esModule", { value: true }); exports.getMonitorRelativeURL = exports.genSecret = exports.getCryptoRandomInt = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0; -var _dayjs = require("dayjs"); -var dayjs = _dayjs; +const _dayjs = require("dayjs"); +const dayjs = _dayjs; exports.isDev = process.env.NODE_ENV === "development"; exports.appName = "Uptime Kuma"; exports.DOWN = 0; @@ -106,12 +106,12 @@ exports.getRandomInt = getRandomInt; * Returns either the NodeJS crypto.randomBytes() function or its * browser equivalent implemented via window.crypto.getRandomValues() */ -var getRandomBytes = ((typeof window !== 'undefined' && window.crypto) +let getRandomBytes = ((typeof window !== 'undefined' && window.crypto) // Browsers ? function () { - return function (numBytes) { - var randomBytes = new Uint8Array(numBytes); - for (var i = 0; i < numBytes; i += 65536) { + return (numBytes) => { + let randomBytes = new Uint8Array(numBytes); + for (let i = 0; i < numBytes; i += 65536) { window.crypto.getRandomValues(randomBytes.subarray(i, i + Math.min(numBytes - i, 65536))); } return randomBytes; @@ -123,13 +123,13 @@ var getRandomBytes = ((typeof window !== 'undefined' && window.crypto) })(); function getCryptoRandomInt(min, max) { // synchronous version of: https://github.com/joepie91/node-random-number-csprng - var range = max - min; + const range = max - min; if (range >= Math.pow(2, 32)) console.log("Warning! Range is too large."); - var tmpRange = range; - var bitsNeeded = 0; - var bytesNeeded = 0; - var mask = 1; + let tmpRange = range; + let bitsNeeded = 0; + let bytesNeeded = 0; + let mask = 1; while (tmpRange > 0) { if (bitsNeeded % 8 === 0) bytesNeeded += 1; @@ -137,9 +137,9 @@ function getCryptoRandomInt(min, max) { mask = mask << 1 | 1; tmpRange = tmpRange >>> 1; } - var randomBytes = getRandomBytes(bytesNeeded); - var randomValue = 0; - for (var i = 0; i < bytesNeeded; i++) { + const randomBytes = getRandomBytes(bytesNeeded); + let randomValue = 0; + for (let i = 0; i < bytesNeeded; i++) { randomValue |= randomBytes[i] << 8 * i; } randomValue = randomValue & mask; @@ -151,12 +151,11 @@ function getCryptoRandomInt(min, max) { } } exports.getCryptoRandomInt = getCryptoRandomInt; -function genSecret(length) { - if (length === void 0) { length = 64; } - var secret = ""; - var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - var charsLength = chars.length; - for (var i = 0; i < length; i++) { +function genSecret(length = 64) { + let secret = ""; + const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + const charsLength = chars.length; + for (let i = 0; i < length; i++) { secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1)); } return secret;