fix: replace Math.random with CSPRNG by hiddeco · Pull Request #1604 · airweave-ai/airweave

hiddeco · 2026-03-12T16:19:00Z

CASA-46 requires all random value generation to use cryptographically secure PRNGs. This migrates every call site in both backend and frontend.

Backend: random.uniform, random.randint, and random.choices are replaced with secrets.randbelow throughout OAuth retry jitter, email scheduling, and web-fetcher backoff. Readable ID generation is extracted into core/readable_id.py using secrets.choice (rejection-sampled, zero bias), deduplicating logic from collection.py and connection.py.

Frontend: inline Math.random ID generators are consolidated into lib/readable-id.ts using crypto.getRandomValues(new Uint32Array(...)). Uint32Array is used instead of Uint8Array to avoid modulo bias (256 % 36 = 4 biased values). FilterBuilderModal switches to crypto.randomUUID for React keys. The unused Input import in CreateCollectionView is removed.

frontend/src/lib/readable-id.ts

cubic-dev-ai

No issues found across 12 files

cubic-dev-ai

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="frontend/eslint.config.js">

<violation number="1" location="frontend/eslint.config.js:31">
P1: Custom agent: **Check for Cursor Rules Drift**

Cursor rules drift: a new frontend security convention (forbid `Math.random`, require Web Crypto RNG) was added in ESLint but not reflected in the relevant Cursor frontend rule (`.cursor/rules/frontend-rules.mdc`). Update that rule so Cursor-generated code follows the same CSPRNG requirement.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

frontend/eslint.config.js

cubic-dev-ai

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".cursor/rules/frontend-rules.mdc">

<violation number="1" location=".cursor/rules/frontend-rules.mdc:345">
P1: Custom agent: **Check for Cursor Rules Drift**

Update the backend Cursor rule too. This PR introduces a repo-wide randomness convention, but the added rule only covers frontend APIs; `.cursor/rules/backend-rules.mdc` still lacks guidance to use Python `secrets.*` instead of `random.*`, so Cursor remains out of sync for backend changes.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

.cursor/rules/frontend-rules.mdc

The lint rules banning `Math.random()` (3592d4b) and `random.*` (13bc3b6) were not reflected in the Cursor AI rules files. AI-generated code could still use the banned APIs, producing immediate lint failures. Add a Security/Randomness subsection to both `frontend-rules.mdc` and `backend-rules.mdc` so that Cursor-generated code uses the correct CSPRNG APIs (`crypto.getRandomValues` / `secrets.*`) from the start.

hiddeco added the security Related to security, vulnerabilities, or hardening label Mar 12, 2026

hiddeco temporarily deployed to dev March 12, 2026 16:19 — with GitHub Actions Inactive

github-advanced-security bot found potential problems Mar 12, 2026

View reviewed changes

frontend/src/lib/readable-id.ts Fixed Show fixed Hide fixed

hiddeco temporarily deployed to dev March 12, 2026 16:21 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 16:21 — with GitHub Actions Error

hiddeco temporarily deployed to dev March 12, 2026 16:21 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 16:21 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 12, 2026 16:21 — with GitHub Actions Inactive

cubic-dev-ai bot reviewed Mar 12, 2026

View reviewed changes

hiddeco temporarily deployed to dev March 12, 2026 16:36 — with GitHub Actions Inactive

hiddeco temporarily deployed to dev March 12, 2026 16:38 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 16:38 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 12, 2026 16:38 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 16:38 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 12, 2026 16:38 — with GitHub Actions Inactive

cubic-dev-ai bot reviewed Mar 12, 2026

View reviewed changes

frontend/eslint.config.js Show resolved Hide resolved

hiddeco force-pushed the fix/casa-46-csprng-migration branch from 3f29242 to 832af30 Compare March 12, 2026 17:50

hiddeco temporarily deployed to dev March 12, 2026 17:51 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 17:54 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 12, 2026 17:54 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 12, 2026 17:54 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 12, 2026 17:54 — with GitHub Actions Inactive

felixschmetz approved these changes Mar 13, 2026

View reviewed changes

hiddeco force-pushed the fix/casa-46-csprng-migration branch from b5ec467 to 7afa37e Compare March 16, 2026 08:11

hiddeco temporarily deployed to dev March 16, 2026 08:11 — with GitHub Actions Inactive

hiddeco temporarily deployed to dev March 16, 2026 08:12 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 16, 2026 08:12 — with GitHub Actions Error

hiddeco had a problem deploying to dev March 16, 2026 08:13 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 16, 2026 08:13 — with GitHub Actions Inactive

hiddeco temporarily deployed to dev March 16, 2026 08:18 — with GitHub Actions Inactive

hiddeco temporarily deployed to dev March 16, 2026 08:19 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 16, 2026 08:19 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 16, 2026 08:21 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 16, 2026 08:21 — with GitHub Actions Failure

cubic-dev-ai bot reviewed Mar 16, 2026

View reviewed changes

.cursor/rules/frontend-rules.mdc Show resolved Hide resolved

hiddeco force-pushed the fix/casa-46-csprng-migration branch from f311308 to eb63d84 Compare March 16, 2026 08:56

hiddeco temporarily deployed to dev March 16, 2026 08:56 — with GitHub Actions Inactive

hiddeco temporarily deployed to dev March 16, 2026 08:57 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 16, 2026 08:57 — with GitHub Actions Failure

hiddeco temporarily deployed to dev March 16, 2026 08:58 — with GitHub Actions Inactive

hiddeco had a problem deploying to dev March 16, 2026 08:58 — with GitHub Actions Failure

hiddeco merged commit 121935b into main Mar 16, 2026
15 of 19 checks passed

hiddeco deleted the fix/casa-46-csprng-migration branch March 16, 2026 09:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: replace Math.random with CSPRNG#1604

fix: replace Math.random with CSPRNG#1604
hiddeco merged 4 commits intomainfrom
fix/casa-46-csprng-migration

hiddeco commented Mar 12, 2026

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

hiddeco commented Mar 12, 2026

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants