From a2c4445c2ea99343a0a707cdf192be9976e3a08a Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sat, 24 Jan 2026 22:33:59 +0000 Subject: [PATCH] fix(security): replace all Math.random with crypto.randomBytes in fixtures Fix remaining CodeQL High severity findings for insecure randomness: - test-data.ts: generateIPAddress, generatePort, generateCrowdSecDecisionData - access-lists.ts: mockAccessListResponse - notifications.ts: generateProviderName - settings.ts: generateTestEmail All test fixture files now use crypto.randomBytes() for unique ID generation. --- tests/fixtures/access-lists.ts | 3 ++- tests/fixtures/notifications.ts | 4 +++- tests/fixtures/settings.ts | 4 +++- tests/fixtures/test-data.ts | 10 +++++----- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/tests/fixtures/access-lists.ts b/tests/fixtures/access-lists.ts index 5ee89ee3..d0be3f4d 100644 --- a/tests/fixtures/access-lists.ts +++ b/tests/fixtures/access-lists.ts @@ -22,6 +22,7 @@ import { generateUniqueId, generateIPAddress, generateCIDR } from './test-data'; import type { AccessListData } from '../utils/TestDataManager'; +import * as crypto from 'crypto'; /** * ACL type - matches backend ValidAccessListTypes @@ -377,7 +378,7 @@ export function mockAccessListResponse( ): AccessListAPIResponse { const id = generateUniqueId(); return { - id: parseInt(id) || Math.floor(Math.random() * 10000), + id: parseInt(id) || crypto.randomBytes(2).readUInt16BE(0) % 10000, uuid: `acl-${id}`, name: config.name || `ACL-${id}`, type: config.type || 'whitelist', diff --git a/tests/fixtures/notifications.ts b/tests/fixtures/notifications.ts index 86a16970..1789191a 100644 --- a/tests/fixtures/notifications.ts +++ b/tests/fixtures/notifications.ts @@ -5,6 +5,8 @@ * These fixtures provide consistent test data across notification-related test files. */ +import * as crypto from 'crypto'; + // ============================================================================ // Notification Provider Types // ============================================================================ @@ -52,7 +54,7 @@ export interface NotificationProvider extends NotificationProviderConfig { * Generate a unique provider name */ export function generateProviderName(prefix: string = 'test-provider'): string { - return `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`; + return `${prefix}-${Date.now()}-${crypto.randomBytes(3).toString('hex')}`; } /** diff --git a/tests/fixtures/settings.ts b/tests/fixtures/settings.ts index c45bd7da..b8fadb5d 100644 --- a/tests/fixtures/settings.ts +++ b/tests/fixtures/settings.ts @@ -5,6 +5,8 @@ * These fixtures provide consistent test data across settings-related test files. */ +import * as crypto from 'crypto'; + // ============================================================================ // SMTP Configuration Types and Fixtures // ============================================================================ @@ -77,7 +79,7 @@ export const invalidSMTPConfigs = { * Generate a unique test email address */ export function generateTestEmail(): string { - return `test-${Date.now()}-${Math.random().toString(36).slice(2, 8)}@test.local`; + return `test-${Date.now()}-${crypto.randomBytes(4).toString('hex')}@test.local`; } // ============================================================================ diff --git a/tests/fixtures/test-data.ts b/tests/fixtures/test-data.ts index 4cb491f6..270fe550 100644 --- a/tests/fixtures/test-data.ts +++ b/tests/fixtures/test-data.ts @@ -74,9 +74,9 @@ export function generateIPAddress(options: { /** Fourth octet (1-254), random if not specified */ octet4?: number; } = {}): string { - const o2 = options.octet2 ?? Math.floor(Math.random() * 256); - const o3 = options.octet3 ?? Math.floor(Math.random() * 256); - const o4 = options.octet4 ?? Math.floor(Math.random() * 253) + 1; // 1-254 + const o2 = options.octet2 ?? secureRandomInt(256); + const o3 = options.octet3 ?? secureRandomInt(256); + const o4 = options.octet4 ?? secureRandomInt(253) + 1; // 1-254 return `10.${o2}.${o3}.${o4}`; } @@ -117,7 +117,7 @@ export function generatePort(options: { max?: number; } = {}): number { const { min = 8080, max = 65000 } = options; - return Math.floor(Math.random() * (max - min + 1)) + min; + return secureRandomInt(max - min + 1) + min; } /** @@ -530,7 +530,7 @@ export function generateCrowdSecDecisionData( overrides: Partial = {} ): CrowdSecDecisionTestData { return { - ip: `10.0.${Math.floor(Math.random() * 255)}.${Math.floor(Math.random() * 255)}`, + ip: `10.0.${secureRandomInt(255)}.${secureRandomInt(255)}`, duration: '4h', reason: 'Test ban - automated testing', scope: 'ip',