From e17c94c435a000af9855e18844ebc68a8242e3ef Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Sun, 5 Jul 2026 00:25:08 +0000 Subject: [PATCH] [Security] Harden client ID generation in ExtensionServerClient Replaces the use of Math.random() with globalThis.crypto.randomUUID() for generating unique client IDs in ExtensionServerClient. This ensures that IDs are cryptographically secure and unpredictable, reducing the risk of ID collisions and predictability in the UI extensions server kit. --- .../src/ExtensionServerClient/ExtensionServerClient.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts index 507bfb5df73..b77eef5842d 100644 --- a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts +++ b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts @@ -32,7 +32,8 @@ export class ExtensionServerClient implements ExtensionServer.Client { private uiExtensionsByUuid: Record = {} constructor(options: DeepPartial = {}) { - this.id = (Math.random() + 1).toString(36).substring(7) + // We use a cryptographically secure random generator to prevent ID predictability + this.id = globalThis.crypto.randomUUID() this.options = getValidatedOptions({ ...options, connection: {