Skip to content

poc: Create passing JS context for PSP #20740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

poc: Create passing JS context for PSP #20740

wants to merge 1 commit into from

Conversation

Matejk00
Copy link
Contributor

Closes: CXSPA-10980

@Matejk00 Matejk00 requested a review from a team as a code owner September 18, 2025 11:49
@github-actions github-actions bot marked this pull request as draft September 18, 2025 11:49
@github-actions GitHub Actions
Copy link
Contributor

🚨 PR Title Validation Failed 🚨

Your pull request title does not follow the required format. Please update it to match the expected pattern:

Expected format:
<type>: <subject>

Allowed Types

  • docs: Changes to documentation only
  • feat: New feature work
  • fix: Bug fixes
  • perf: Code improvements for performance
  • refactor: Code changes that are not bug fixes or features
  • style: Code style changes (e.g., whitespace, formatting)
  • test: Adding or updating tests
  • chore: Build, CI, scripts, configs, etc.

Example of a valid PR title

feat: Add user authentication
fix: Resolve checkout bug
docs: Update API documentation

Merge is blocked until the PR title is corrected.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 18, 2025
View reviewed changes
integration-libs/opf/base/root/services/opf-resource-loader.service.ts
Function(script[0].innerText)();

const originalScript = script[0].innerText;
const sessionId = this.generateSessionId();

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix

AI 19 days ago

To fix the problem, we should replace the usage of Math.random() in generateSessionId() with a call to a cryptographically secure random number generator. In Node.js and modern browsers, the crypto module provides such functionality. To maintain compatibility with the rest of the code and stay within the shown region, we should import Node's built-in crypto module and use crypto.randomBytes() to generate a random string value for the session ID. The rest of the function can remain unchanged.

In file integration-libs/opf/base/root/services/opf-resource-loader.service.ts, we need to:

  • Add an import for Node's crypto module.
  • Replace line 246 so that instead of using Math.random().toString(36).substring(2), we use a securely generated random string, e.g., from crypto.randomBytes(16).toString('hex').
Suggested changeset 1
integration-libs/opf/base/root/services/opf-resource-loader.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/integration-libs/opf/base/root/services/opf-resource-loader.service.ts b/integration-libs/opf/base/root/services/opf-resource-loader.service.ts
--- a/integration-libs/opf/base/root/services/opf-resource-loader.service.ts
+++ b/integration-libs/opf/base/root/services/opf-resource-loader.service.ts
@@ -8,6 +8,7 @@
 import { Injectable, PLATFORM_ID, inject } from '@angular/core';
 import { Config, ScriptLoader } from '@spartacus/core';
 
+import * as crypto from 'crypto';
 import {
   OpfDynamicScriptResource,
   OpfDynamicScriptResourceType,
@@ -243,7 +244,7 @@
    */
   private generateSessionId(): string {
     const timestamp = Date.now();
-    const random = Math.random().toString(36).substring(2);
+    const random = crypto.randomBytes(16).toString('hex');
     return `opf-session-${timestamp}-${random}`;
   }
 
EOF
@@ -8,6 +8,7 @@
import { Injectable, PLATFORM_ID, inject } from '@angular/core';
import { Config, ScriptLoader } from '@spartacus/core';

import * as crypto from 'crypto';
import {
OpfDynamicScriptResource,
OpfDynamicScriptResourceType,
@@ -243,7 +244,7 @@
*/
private generateSessionId(): string {
const timestamp = Date.now();
const random = Math.random().toString(36).substring(2);
const random = crypto.randomBytes(16).toString('hex');
return `opf-session-${timestamp}-${random}`;
}

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Matejk00