Merge pull request #53635 from nextcloud/fix/insecure-crypto-envs

fix(files_sharing): fallback self.crypto.getRandomValues
2026-06-10 17:23:59 -04:00 · 2025-07-28 19:51:59 +02:00 · 2025-07-28 19:51:59 +02:00 · 33ddce490b
commit 33ddce490b
parent 4eda352397 f35d164e33
9 changed files with 32 additions and 13 deletions
--- a/apps/files_sharing/src/utils/GeneratePassword.ts
+++ b/apps/files_sharing/src/utils/GeneratePassword.ts
@ -38,10 +38,29 @@ export default async function(verbose = false): Promise<string> {

 	const array = new Uint8Array(10)
 	const ratio = passwordSet.length / 255
-	self.crypto.getRandomValues(array)
+	getRandomValues(array)
 	let password = ''
 	for (let i = 0; i < array.length; i++) {
 		password += passwordSet.charAt(array[i] * ratio)
 	}
 	return password
 }
+
+/**
+ * Fills the given array with cryptographically secure random values.
+ * If the crypto API is not available, it falls back to less secure Math.random().
+ * Crypto API is available in modern browsers on secure contexts (HTTPS).
+ *
+ * @param {Uint8Array} array - The array to fill with random values.
+ */
+function getRandomValues(array: Uint8Array): void {
+	if (self?.crypto?.getRandomValues) {
+		self.crypto.getRandomValues(array)
+		return
+	}
+
+	let len = array.length
+	while (len--) {
+		array[len] = Math.floor(Math.random() * 256)
+	}
+}
--- a/dist/519-519.js
+++ b/dist/519-519.js
--- a/dist/519-519.js.map
+++ b/dist/519-519.js.map
--- a/dist/5792-5792.js
+++ b/dist/5792-5792.js
--- a/dist/5792-5792.js.map
+++ b/dist/5792-5792.js.map
--- a/dist/files_sharing-files_sharing_tab.js
+++ b/dist/files_sharing-files_sharing_tab.js
--- a/dist/files_sharing-files_sharing_tab.js.map
+++ b/dist/files_sharing-files_sharing_tab.js.map
--- a/dist/files_sharing-init.js
+++ b/dist/files_sharing-init.js
--- a/dist/files_sharing-init.js.map
+++ b/dist/files_sharing-init.js.map