[dev] [Marfuen] mariano/browserbase #1445
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
- Added @1password/sdk and @1password/sdk-core to manage credentials securely. - Updated @browserbasehq/sdk to version 2.6.0 and added @browserbasehq/stagehand for improved functionality. - Introduced new components for Browserbase integration, including a page and session management. - Adjusted Docker configuration to use environment files specific to each service. - Enhanced Next.js configuration to ensure proper handling of 1Password and Browserbase packages. This update improves the overall security and functionality of the application.
- Added SMTP configuration options to environment variables for email provisioning. - Implemented mailbox provisioning functionality using Nodemailer, allowing for automatic email creation for organizations. - Updated Browserbase integration to pass organization ID to the Stagehand component for improved session management. - Refactored 1Password credential retrieval to support organization-specific logins. This update enhances the application's email capabilities and improves the integration with Browserbase, streamlining the onboarding process for new organizations.
…oning - Changed SMTP configuration options in the environment to be optional, enhancing flexibility. - Simplified the mailbox provisioning process by removing unnecessary parameters and adjusting email formatting. - Updated the 1Password login item creation to remove the title suffix, ensuring a cleaner title format. - Improved the handling of SMTP credentials for better integration with SES. These changes enhance the application's email provisioning capabilities and streamline the organization setup process.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // username like org-<id-short> | ||
| const localPart = params.organizationId; | ||
| const email = `comp-${localPart}@${domain}`; | ||
| const password = generateStrongPassword(); |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
The fix is to completely replace all use of Math.random() in password generation with calls to a cryptographically secure random number generator. In Node.js, this means using crypto.randomInt() for securely generating random indices into the symbols string in the pick function, as well as for randomizing the order of password characters instead of the Fisher-Yates shuffle based on Math.random(). For shuffling, the secure way in Node.js is to either implement an unbiased Fisher-Yates shuffle with crypto.randomInt() for index selection, or to use a well-known shuffle implementation with a secure random source.
Edits are needed to:
- The
pickfunction to replace its source of randomness (Math.random()). - The
.sort(() => Math.random() - 0.5)shuffling logic, which must be replaced with a secure, unbiased shuffle usingcrypto.randomInt().
These changes are all within the generateStrongPassword function in apps/app/src/lib/mail/provisionMailbox.ts. No new external dependencies are needed beyond native Node.js crypto.
Suggested changeset
1
apps/app/src/lib/mail/provisionMailbox.ts
| @@ -13,11 +13,17 @@ | ||
| const raw = crypto.randomBytes(32).toString('base64url'); | ||
| const symbols = '!@#$%^&*()-_=+[]{}'; | ||
| const pick = (s: string, n: number) => | ||
| Array.from({ length: n }, () => s[Math.floor(Math.random() * s.length)]).join(''); | ||
| const pwd = (raw.slice(0, 18) + pick(symbols, 6)) | ||
| .split('') | ||
| .sort(() => Math.random() - 0.5) | ||
| .join(''); | ||
| Array.from({ length: n }, () => s[crypto.randomInt(s.length)]).join(''); | ||
| // Secure Fisher-Yates shuffle for strong password | ||
| function secureShuffle(str: string): string { | ||
| const arr = str.split(''); | ||
| for (let i = arr.length - 1; i > 0; i--) { | ||
| const j = crypto.randomInt(i + 1); | ||
| [arr[i], arr[j]] = [arr[j], arr[i]]; | ||
| } | ||
| return arr.join(''); | ||
| } | ||
| const pwd = secureShuffle(raw.slice(0, 18) + pick(symbols, 6)); | ||
| return pwd; | ||
| } | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge mariano/browserbase into dev.
It was created by the [Auto Pull Request] action.