Skip to content

Security: replace uniqid() with random_bytes() for script tokens#58

Open
nicdavidson wants to merge 2 commits intodevelopfrom
2026-04-security-scan
Open

Security: replace uniqid() with random_bytes() for script tokens#58
nicdavidson wants to merge 2 commits intodevelopfrom
2026-04-security-scan

Conversation

@nicdavidson
Copy link
Copy Markdown

@nicdavidson nicdavidson commented Apr 10, 2026

Summary

  • Replace uniqid() with bin2hex(random_bytes(32)) in NodeJs, Python, and Python3 script engines
  • uniqid() is microtime-based (~20 bits of entropy), making script auth tokens predictable
  • random_bytes(32) provides 256-bit cryptographically secure tokens
  • Add regression tests verifying source code uses random_bytes

Test plan

  • 5 new tests pass (source verification + entropy check)
  • Token format: 64-char hex string
  • Token uniqueness verified across 100 generations

thekevinm and others added 2 commits January 23, 2026 00:11
@thekevinm @claude
Add Overview section with platform description
d6e548f 
Added standard overview describing DreamFactory as a secure, self-hosted
enterprise data access platform for enterprise apps and on-prem LLMs.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nicdavidson
Security: replace uniqid() with random_bytes(32) for script auth tokens
aa4d7cc 
uniqid() is microtime-based with ~20 bits of entropy, making script
tokens predictable. Replace with bin2hex(random_bytes(32)) for 256-bit
cryptographically secure tokens in all three script engines.

Add regression tests verifying source code uses random_bytes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicdavidson @thekevinm