ππ€ β [zihdoc te6e1b g5zk5h ++]: Posthog survey & major dx changes#219
ππ€ β [zihdoc te6e1b g5zk5h ++]: Posthog survey & major dx changes#219Gizmotronn merged 11 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, to fix insecure randomness in browser/React code, replace uses of Math.random() in securityβsensitive contexts with crypto.getRandomValues, which is a cryptographically secure pseudorandom number generator. For generating a random floatingβpoint number in [0, 1), you can take an unsigned 32βbit integer from crypto.getRandomValues(new Uint32Array(1))[0] and scale it by 2^-32. This avoids predictability while still fitting into the same usage pattern as Math.random().
For this specific file, src/components/discovery/data-sources/Astronomers/PlanetHunters/PlanetGenerator.tsx, we should introduce a small helper function that returns a secure random float in [0, 1) and then replace the two usages of Math.random() used to compute latitude and longitude. This will preserve existing behavior (still generating a uniformβlike float in [0,1) and mapping it into the same angle ranges) but use a cryptographically secure source. The helper can be defined near the top of the file (after imports) and implemented using window.crypto.getRandomValues with a Uint32Array. No existing imports need to change; no new external dependencies are necessary.
Concretely:
- Add a
secureRandom()helper that returns anumberin[0,1). - Replace:
latitude: Math.random() * 180 - 90withlatitude: secureRandom() * 180 - 90longitude: Math.random() * 360 - 180withlongitude: secureRandom() * 360 - 180
in both thecatchblock and theelseblock where the fallback position is set.
This maintains functionality while eliminating the insecure RNG.
| @@ -16,6 +16,17 @@ | ||
| import { Textarea } from "@/src/components/ui/textarea"; | ||
| import { mergeClassificationConfiguration } from "@/src/lib/gameplay/classification-configuration"; | ||
|
|
||
| // Generate a cryptographically secure random number in the range [0, 1) | ||
| function secureRandom(): number { | ||
| if (typeof window !== "undefined" && window.crypto && window.crypto.getRandomValues) { | ||
| const array = new Uint32Array(1); | ||
| window.crypto.getRandomValues(array); | ||
| return array[0] * Math.pow(2, -32); | ||
| } | ||
| // Fallback to Math.random() if crypto is unavailable (should be rare) | ||
| return Math.random(); | ||
| } | ||
|
|
||
| interface PlanetGeneratorProps { | ||
| classificationId: string; | ||
| editMode?: boolean; | ||
| @@ -254,14 +265,14 @@ | ||
| position = typeof configLocation === 'string' ? JSON.parse(configLocation) : configLocation; | ||
| } catch { | ||
| position = { | ||
| latitude: Math.random() * 180 - 90, | ||
| longitude: Math.random() * 360 - 180, | ||
| latitude: secureRandom() * 180 - 90, | ||
| longitude: secureRandom() * 360 - 180, | ||
| }; | ||
| } | ||
| } else { | ||
| position = { | ||
| latitude: Math.random() * 180 - 90, | ||
| longitude: Math.random() * 360 - 180, | ||
| latitude: secureRandom() * 180 - 90, | ||
| longitude: secureRandom() * 360 - 180, | ||
| }; | ||
| } | ||
|
|
Gizmotronn
left a comment
Gizmotronn
left a comment
There was a problem hiding this comment.
Checks seemed to pass, now it's up to the merge...
1 participant
This pull request significantly refactors the project's GitHub Actions CI/CD workflows by consolidating multiple separate workflow files into a single, unified pipeline (
.github/workflows/pipeline.yml). It also updates configuration for development and testing environments, and makes minor improvements to linting and Docker ignore settings. The changes aim to simplify maintenance, improve reliability, and centralize automation logic.CI/CD Workflow Consolidation and Improvements:
.github/workflows/pipeline.yml. The new pipeline orchestrates testing, building, deployment, scheduled maintenance, and security analysis, with conditional steps and improved environment handling..github/workflows/build.yml.github/workflows/codeql.yml.github/workflows/cypress.yml.go.github/workflows/e2e.yml.go.github/workflows/eventstable.yml.txt.github/workflows/notify-unclassified-discoveries.yml.github/workflows/delete-push-anomaly-log.yml.github/workflows/unlock-solarhealth-anomalies.ymlEnvironment and Configuration Updates:
.env.exampleto support analytics integration.DATABASE_URLfor local Postgres to.env.testto improve test consistency and local development setup.Linting and Docker Ignore Adjustments:
.eslintrc.jsonto disable several TypeScript and React linting rules, reducing noise and friction during development..dockerignoreto only ignore Docker Compose files in theops/compose/directory, making Docker context more precise.These changes centralize and streamline CI/CD automation, improve local and test environment configuration, and make development smoother by reducing unnecessary lint warnings.