Use a stronger random number generator for Vimium's session secret

philc · philc · commit 1d80e66aa20f · 2021-07-09T21:54:08.000-07:00
Fixes philc#3832
diff --git a/background_scripts/main.js b/background_scripts/main.js
@@ -32,9 +32,11 @@ global.urlForTab = {};
 // This is exported for use by "marks.js".
 global.tabLoadedHandlers = {}; // tabId -> function()
 
-// A secret, available only within the current instantiation of Vimium. The secret is big, likely unguessable
-// in practice, but less than 2^31.
-chrome.storage.local.set({vimiumSecret: Math.floor(Math.random() * 2000000000)});
+// A secret, available only within the current instantiation of Vimium, for the duration of the browser
+// session. The secret is a generated strong random string.
+const randomArray = window.crypto.getRandomValues(new Uint8Array(32)); // 32-byte random token.
+const secretToken =  randomArray.reduce((a,b) => a.toString(16) + b.toString(16));
+chrome.storage.local.set({vimiumSecret: secretToken});
 
 const completionSources = {
   bookmarks: new BookmarkCompleter,
diff --git a/tests/unit_tests/test_chrome_stubs.js b/tests/unit_tests/test_chrome_stubs.js
@@ -1,13 +1,30 @@
 //
-// This is a stub for chrome.strorage.sync for testing.
-// It does what chrome.storage.sync should do (roughly), but does so synchronously.
-// It also provides stubs for a number of other chrome APIs.
+// This file contains stubs for a number of browser and chrome APIs which are missing in
+// Node.js.
+// The chrome.storage.sync stub does roughly what chrome.storage.sync should do, but does so synchronously.
 //
 
-let XMLHttpRequest;
+const nodeCrypto = require("crypto");
+
 global.window = {};
 global.localStorage = {};
 
+window.crypto = {
+  // This polyfill was taken from
+  // https://github.com/KenanY/get-random-values
+  getRandomValues: (buffer) => {
+    if (!(buffer instanceof Uint8Array))
+      throw new TypeError('expected Uint8Array');
+    if (buffer.length > 65536)
+      throw new Error("Buffer length cannot be larger than 65536; this API doesn't support that much entropy.");
+    var bytes = nodeCrypto.randomBytes(buffer.length);
+    buffer.set(bytes);
+    return buffer;
+  }
+}
+
+let XMLHttpRequest;
+
 global.navigator =
   {appVersion: "5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36"};
 
