feat: recordHookStream #711
Conversation
![flatfile-nullify[bot]](https://avatars.githubusercontent.com/u/31830338?s=60&v=4){kind=small}
| `Rate limited, retry attempt ${attempt + 1} of ${MAX_RETRIES}` | ||
| ) | ||
| const delay = | ||
| INITIAL_RETRY_DELAY * Math.pow(1.5, attempt) * (0.75 + Math.random()) |
There was a problem hiding this comment.
Nullify Code Language: TypeScript 🔵 MEDIUM Severity CWE-327
Node insecure random generator
crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
Reply with /nullify to interact with me like another developer
(you will need to refresh the page for updates)
| `Rate limited, retry attempt ${attempt + 1} of ${MAX_RETRIES}` | ||
| ) | ||
| const delay = | ||
| INITIAL_RETRY_DELAY * Math.pow(1.5, attempt) * (0.75 + Math.random()) |
There was a problem hiding this comment.
Nullify Code Language: TypeScript 🔵 MEDIUM Severity CWE-338
Rules lgpl javascript crypto rule node insecure random generator
This rule identifies use of cryptographically weak random number generators.
Using cryptographically weak random number generators like crypto.pseudoRandomBytes()
and Math.random() for security-critical tasks can expose systems to significant
vulnerabilities. Attackers might predict the generated random numbers, compromising
the integrity and confidentiality of cryptographic operations. This could lead to
breaches where sensitive data is accessed or manipulated, authentication mechanisms
are bypassed, or secure communications are intercepted, ultimately undermining the
security of the entire system or application.
Mitigation strategy:
Replace the use of these cryptographically weak random number generators with
crypto.randomBytes(), a method provided by Node.js's crypto module that
generates cryptographically secure random numbers. This method should be used
for all operations requiring secure randomness, such as generating keys, tokens,
or any cryptographic material.
Secure Code Example:
const crypto = require('crypto');
const secureBytes = crypto.randomBytes(256);
console.log(`Secure random bytes: ${secureBytes.toString('hex')}`);
Reply with /nullify to interact with me like another developer
(you will need to refresh the page for updates)
Nullify Code Vulnerabilities2 findings found in this pull request
You can find a list of all findings here |
carlbrugger
force-pushed
the
feat/record-hook-stream
branch
from
1dad681 to
3d9dfcc
Compare
| ) => { | ||
| return (listener: FlatfileListener) => { | ||
| listener.on('commit:created', { sheetSlug }, (event: FlatfileEvent) => | ||
| recordReadWriteStream(callback, event, options) |
There was a problem hiding this comment.
Why the then()/catch() syntax vs async/await
Please explain how to summarize this PR for the Changelog:
Tell code reviewer how and what to test: