From f8b26bf98e96facee9b1f9b646922f72009ef8a7 Mon Sep 17 00:00:00 2001 From: "Chen, Xiaoqiang" Date: Sat, 28 Mar 2026 11:12:18 +0800 Subject: [PATCH 1/3] Potential fix for code scanning alert no. 1: Insecure randomness Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/systems/InventorySystem.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/systems/InventorySystem.ts b/src/systems/InventorySystem.ts index 6c95080..8755c5a 100644 --- a/src/systems/InventorySystem.ts +++ b/src/systems/InventorySystem.ts @@ -4,6 +4,7 @@ import { SetDefinitions } from '../data/items/sets'; import { DUNGEON_EXCLUSIVE_SETS } from '../data/dungeonData'; import type { ItemInstance, EquipSlot, WeaponBase, ArmorBase, GemInstance } from '../data/types'; import { emptyEquipStats, type EquipStats } from './CombatSystem'; +import * as crypto from 'crypto'; const MAX_INVENTORY = 100; const MAX_STASH = 80; @@ -346,7 +347,7 @@ export class InventorySystem { // Create an inventory item for the gem const gemBase = getItemBase(gem.gemId); const gemItem: ItemInstance = { - uid: `gem_${Date.now()}_${Math.random().toString(36).substring(2, 8)}`, + uid: `gem_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`, baseId: gem.gemId, name: gem.name, quality: 'normal', From ce3808749656bd6a24828e951d6dbc6be327640c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 28 Mar 2026 03:14:56 +0000 Subject: [PATCH 2/3] Fix insecure randomness using Web Crypto API (browser-compatible) Agent-Logs-Url: https://github.com/feuvan/abyssfire/sessions/6057e0af-7e85-4099-837d-d0aa575a7494 Co-authored-by: feuvan <7534+feuvan@users.noreply.github.com> --- src/systems/InventorySystem.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/systems/InventorySystem.ts b/src/systems/InventorySystem.ts index 8755c5a..b8b257d 100644 --- a/src/systems/InventorySystem.ts +++ b/src/systems/InventorySystem.ts @@ -4,7 +4,6 @@ import { SetDefinitions } from '../data/items/sets'; import { DUNGEON_EXCLUSIVE_SETS } from '../data/dungeonData'; import type { ItemInstance, EquipSlot, WeaponBase, ArmorBase, GemInstance } from '../data/types'; import { emptyEquipStats, type EquipStats } from './CombatSystem'; -import * as crypto from 'crypto'; const MAX_INVENTORY = 100; const MAX_STASH = 80; @@ -347,7 +346,7 @@ export class InventorySystem { // Create an inventory item for the gem const gemBase = getItemBase(gem.gemId); const gemItem: ItemInstance = { - uid: `gem_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`, + uid: `gem_${Date.now()}_${Array.from(globalThis.crypto.getRandomValues(new Uint8Array(4))).map(b => b.toString(16).padStart(2, '0')).join('')}`, baseId: gem.gemId, name: gem.name, quality: 'normal', From 05ae3ea4adb62def10cd94d0b921c409256b4309 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 28 Mar 2026 15:51:48 +0000 Subject: [PATCH 3/3] Refactor: extract randomHex helper to clean up UID generation Agent-Logs-Url: https://github.com/feuvan/abyssfire/sessions/0f7840da-6eaa-47c4-9e87-564e64d394f1 Co-authored-by: feuvan <7534+feuvan@users.noreply.github.com> --- src/systems/InventorySystem.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/systems/InventorySystem.ts b/src/systems/InventorySystem.ts index b8b257d..9874afd 100644 --- a/src/systems/InventorySystem.ts +++ b/src/systems/InventorySystem.ts @@ -8,6 +8,12 @@ import { emptyEquipStats, type EquipStats } from './CombatSystem'; const MAX_INVENTORY = 100; const MAX_STASH = 80; +function randomHex(bytes: number): string { + return Array.from(globalThis.crypto.getRandomValues(new Uint8Array(bytes))) + .map(b => b.toString(16).padStart(2, '0')) + .join(''); +} + export class InventorySystem { inventory: ItemInstance[] = []; equipment: Partial> = {}; @@ -346,7 +352,7 @@ export class InventorySystem { // Create an inventory item for the gem const gemBase = getItemBase(gem.gemId); const gemItem: ItemInstance = { - uid: `gem_${Date.now()}_${Array.from(globalThis.crypto.getRandomValues(new Uint8Array(4))).map(b => b.toString(16).padStart(2, '0')).join('')}`, + uid: `gem_${Date.now()}_${randomHex(4)}`, baseId: gem.gemId, name: gem.name, quality: 'normal',