feat: remove insecure fallback random number generator

BREAKING CHANGE: Remove builtin support for insecure random number generators in the browser. Users who want that will have to supply their own random number generator function. Fixes #173.
uuidjs · Jan 20, 2020 · 8f71d27 · 8f71d27
1 parent d4e31d4
commit 8f71d27
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 40 deletions.
diff --git a/src/rng-browser.js b/src/rng-browser.js
@@ -11,31 +11,12 @@ var getRandomValues =
     typeof window.msCrypto.getRandomValues == 'function' &&
     msCrypto.getRandomValues.bind(msCrypto));
 
-let rng;
-
-if (getRandomValues) {
-  // WHATWG crypto RNG - http://wiki.whatwg.org/wiki/Crypto
-  var rnds8 = new Uint8Array(16); // eslint-disable-line no-undef
-
-  rng = function whatwgRNG() {
-    getRandomValues(rnds8);
-    return rnds8;
-  };
-} else {
-  // Math.random()-based (RNG)
-  //
-  // If all else fails, use Math.random().  It's fast, but is of unspecified
-  // quality.
-  var rnds = new Array(16);
-
-  rng = function mathRNG() {
-    for (var i = 0, r; i < 16; i++) {
-      if ((i & 0x03) === 0) r = Math.random() * 0x100000000;
-      rnds[i] = (r >>> ((i & 0x03) << 3)) & 0xff;
-    }
-
-    return rnds;
-  };
+var rnds8 = new Uint8Array(16); // eslint-disable-line no-undef
+export default function rng() {
+  if (!getRandomValues) {
+    throw new Error(
+      'uuid: This browser does not seem to support crypto.getRandomValues(). If you need to support this browser, please provide a custom random number generator through options.rng',
+    );
+  }
+  return getRandomValues(rnds8);
 }
-
-export default rng;
diff --git a/src/rng.js b/src/rng.js
@@ -1,5 +1,5 @@
 import crypto from 'crypto';
 
-export default function nodeRNG() {
+export default function rng() {
   return crypto.randomBytes(16);
 }
diff --git a/test/browser/ie.test.js b/test/browser/ie.test.js
@@ -14,4 +14,10 @@ browserTest('ie', 9003, [
     os: 'Windows',
     os_version: '7',
   },
+  {
+    browserName: 'IE',
+    browser_version: '8.0',
+    os: 'Windows',
+    os_version: '7',
+  },
 ]);
diff --git a/test/unit/unit.test.js b/test/unit/unit.test.js
@@ -10,9 +10,7 @@ import v3 from '../../src/v3.js';
 import v5 from '../../src/v5.js';
 
 describe('rng', () => {
-  test('nodeRNG', () => {
-    assert.equal(rng.name, 'nodeRNG');
-
+  test('Node.js RNG', () => {
     var bytes = rng();
     assert.equal(bytes.length, 16);
 
@@ -21,15 +19,10 @@ describe('rng', () => {
     }
   });
 
-  test('mathRNG', () => {
-    assert.equal(rngBrowser.name, 'mathRNG');
-
-    var bytes = rng();
-    assert.equal(bytes.length, 16);
-
-    for (var i = 0; i < bytes.length; i++) {
-      assert.equal(typeof bytes[i], 'number');
-    }
+  test('Browser without crypto.getRandomValues()', () => {
+    assert.throws(() => {
+      rngBrowser();
+    });
   });
 
   // Test of whatwgRNG missing for now since with esmodules we can no longer manipulate the