fix: replace Math.random usage by uuid for better security

Author: gre-ledger

.changeset/mighty-pigs-perform.md

@@ -0,0 +1,11 @@
+---
+"@ledgerhq/coin-solana": minor
+"ledger-live-desktop": minor
+"live-mobile": minor
+"@ledgerhq/live-common": minor
+"@ledgerhq/ethereum-provider": minor
+"@ledgerhq/web-tools": minor
+"ledger-live-mobile-e2e-tests": minor
+---
+
+Replace usages of Math.random() for id generation by uuid()

apps/ledger-live-desktop/src/renderer/IPCTransport.test.ts

@@ -0,0 +1,98 @@
+import { ipcRenderer } from "electron";
+import { DeviceModelId } from "@ledgerhq/types-devices";
+import IPCTransport from "./IPCTransport";
+
+jest.mock("electron", () => ({
+  ipcRenderer: {
+    invoke: jest.fn(),
+  },
+}));
+
+jest.mock("@ledgerhq/logs", () => {
+  const mockInstance = {
+    trace: jest.fn(),
+    withContext: jest.fn().mockReturnThis(),
+    withType: jest.fn().mockReturnThis(),
+  };
+  return {
+    log: jest.fn(),
+    trace: jest.fn(),
+    LocalTracer: jest.fn().mockImplementation(() => mockInstance),
+  };
+});
+
+jest.mock("@ledgerhq/devices", () => ({
+  getDeviceModel: jest.fn(() => ({ id: DeviceModelId.nanoS })),
+}));
+
+const mockInvoke = jest.mocked(ipcRenderer.invoke);
+
+describe("IPCTransport", () => {
+  beforeEach(() => {
+    mockInvoke.mockReset();
+  });
+
+  describe("isSupported", () => {
+    it("should resolve to true when ipcRenderer is an object", async () => {
+      await expect(IPCTransport.isSupported()).resolves.toBe(true);
+    });
+  });
+
+  describe("listen", () => {
+    it("should call transport:listen with a uuid requestId and emit add descriptor on success", () => {
+      const observer = { next: jest.fn(), error: jest.fn(), complete: jest.fn() };
+      mockInvoke.mockImplementation((channel: string) => {
+        if (channel === "transport:listen") {
+          return Promise.resolve({ type: "listen-success" });
+        }
+        return Promise.resolve(undefined);
+      });
+
+      const subscription = IPCTransport.listen(observer);
+
+      expect(mockInvoke).toHaveBeenCalledWith(
+        "transport:listen",
+        expect.objectContaining({
+          requestId: expect.stringMatching(
+            /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
+          ),
+        }),
+      );
+
+      return new Promise<void>(resolve => {
+        setImmediate(() => {
+          expect(observer.next).toHaveBeenCalledWith(
+            expect.objectContaining({
+              type: "add",
+              descriptor: "http-proxy",
+            }),
+          );
+          subscription.unsubscribe();
+          resolve();
+        });
+      });
+    });
+  });
+
+  describe("open", () => {
+    it("should call transport:open with descriptor and uuid requestId and return IPCTransport instance", async () => {
+      const descriptor = "http-proxy";
+      mockInvoke.mockImplementation((channel: string) => {
+        if (channel === "transport:open") return Promise.resolve({ type: "open-success" });
+        return Promise.resolve(undefined);
+      });
+
+      const transport = await IPCTransport.open(descriptor);
+
+      expect(transport).toBeInstanceOf(IPCTransport);
+      const openCall = mockInvoke.mock.calls.find(c => c[0] === "transport:open");
+      expect(openCall).toBeDefined();
+      expect(openCall![1]).toMatchObject({
+        descriptor,
+      });
+      expect(openCall![1].requestId).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
+      );
+    });
+  });
+});

apps/ledger-live-desktop/src/renderer/IPCTransport.ts

@@ -8,6 +8,7 @@ import { log, trace, TraceContext } from "@ledgerhq/logs";
 import { DescriptorEvent, DeviceModelId } from "@ledgerhq/types-devices";
 import { Observer } from "rxjs";
 import { getDeviceModel } from "@ledgerhq/devices";
+import { v4 as uuid } from "uuid";
 // No longer need transport channels - using direct invoke
 
 const LOG_TYPE = "hid-ipc";
@@ -25,7 +26,7 @@ export default class IPCTransport extends Transport {
 
   static listen = (observer: Observer<DescriptorEvent<string>>) => {
     let unsubscribed = false;
-    const requestId = String(Math.random());
+    const requestId = uuid();
 
     const unsubscribe = () => {
       if (unsubscribed) return;
@@ -68,7 +69,7 @@ export default class IPCTransport extends Transport {
   ): Promise<IPCTransport> {
     log(LOG_TYPE, "open", { descriptor, timeout });
 
-    const requestId = String(Math.random());
+    const requestId = uuid();
 
     try {
       const result = await ipcRenderer.invoke("transport:open", {

apps/ledger-live-mobile/e2e/bridge/server.ts

@@ -15,6 +15,7 @@ import {
   SettingsSetOverriddenFeatureFlagPlayload,
   SettingsSetOverriddenFeatureFlagsPlayload,
 } from "~/actions/types";
+import { v4 as uuid } from "uuid";
 
 let clientResponse: (data: string) => void;
 const RESPONSE_TIMEOUT = 10000;
@@ -45,9 +46,7 @@ export async function findFreePort(): Promise<number> {
 }
 
 function uniqueId(): string {
-  const timestamp = Date.now().toString(36); // Convert timestamp to base36 string
-  const randomString = Math.random().toString(36).slice(2, 7); // Generate random string
-  return timestamp + randomString; // Concatenate timestamp and random string
+  return uuid();
 }
 
 function isFeatureId(

apps/ledger-live-mobile/src/mvvm/components/ProviderInterstitial/index.tsx

@@ -16,6 +16,7 @@ import { Icon, Text, Flex } from "@ledgerhq/native-ui";
 import { useShowProviderLoadingTransition } from "@ledgerhq/live-common/hooks/useShowProviderLoadingTransition";
 import { InterstitialType } from "~/components/WebPTXPlayer";
 import { DdRum, RumActionType } from "@datadog/mobile-react-native";
+import { v4 as uuid } from "uuid";
 
 export const Loader = styled(Flex)`
   gap: 28px;
@@ -197,7 +198,5 @@ function useProviderConnectRum({
 }
 
 function uniqueId(): string {
-  const timestamp = Date.now().toString(36);
-  const randomString = Math.random().toString(36).slice(2, 7);
-  return timestamp + randomString;
+  return uuid();
 }

apps/ledger-live-mobile/src/mvvm/features/ModularDrawer/utils/__tests__/callbackIdGenerator.test.ts

@@ -0,0 +1,15 @@
+import { generateCallbackId } from "../callbackIdGenerator";
+
+describe("callbackIdGenerator", () => {
+  it("returns a string prefixed with callback_", () => {
+    const id = generateCallbackId();
+    expect(id).toMatch(/^callback_.*$/);
+    expect(typeof id).toBe("string");
+  });
+
+  it("returns unique ids on each call", () => {
+    const id1 = generateCallbackId();
+    const id2 = generateCallbackId();
+    expect(id1).not.toBe(id2);
+  });
+});

apps/ledger-live-mobile/src/mvvm/features/ModularDrawer/utils/callbackIdGenerator.ts

@@ -1,7 +1,9 @@
+import { v4 as uuid } from "uuid";
+
 /**
  * Generates a unique callback ID for the callback registry.
  * This ensures each callback has a unique identifier to avoid conflicts.
  */
 export const generateCallbackId = (): string => {
-  return `callback_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+  return `callback_${uuid()}`;
 };

apps/ledger-live-mobile/src/screens/Settings/Debug/Generators/GenerateMockAccounts.tsx

@@ -2,6 +2,7 @@ import React from "react";
 import sample from "lodash/sample";
 import { Alert } from "react-native";
 import { IconsLegacy } from "@ledgerhq/native-ui";
+import { v4 as uuid } from "uuid";
 import { genAccount } from "@ledgerhq/live-common/mock/account";
 import { listSupportedCurrencies } from "@ledgerhq/live-common/currencies/index";
 import SettingsRow from "~/components/SettingsRow";
@@ -13,7 +14,7 @@ const generateMockAccounts = (count: number) =>
   Array(count)
     .fill(null)
     .map(() => {
-      return genAccount(String(Math.random()), {
+      return genAccount(uuid(), {
         currency: sample(listSupportedCurrencies()),
       });
     });

apps/ledger-live-mobile/src/screens/Settings/Debug/Generators/GenerateMockAccountsSelect.tsx

@@ -1,4 +1,5 @@
 import React, { useCallback, useState } from "react";
+import { v4 as uuid } from "uuid";
 import { genAccount } from "@ledgerhq/live-common/mock/account";
 import { listSupportedCurrencies } from "@ledgerhq/live-common/currencies/index";
 import { useNavigation } from "@react-navigation/native";
@@ -29,7 +30,7 @@ const generateMockAccounts = (currencies: CryptoCurrency[], tokens: string): Acc
   const tokenIds = tokens.split(",").map(t => t.toLowerCase().trim());
 
   return currencies.map(currency =>
-    genAccount(String(Math.random()), {
+    genAccount(uuid(), {
       currency,
       tokenIds,
     }),

apps/ledger-live-mobile/src/screens/Settings/Debug/Generators/__tests__/GenerateMockAccounts.test.tsx

@@ -0,0 +1,76 @@
+import React from "react";
+import { Alert } from "react-native";
+import { render, screen } from "@tests/test-renderer";
+import GenerateMockAccountsButton from "../GenerateMockAccounts";
+
+jest.mock("uuid", () => ({
+  v4: jest.fn(() => "mock-uuid-for-accounts"),
+}));
+
+const mockGenAccount = jest.fn(() => ({ id: "account-1" }));
+jest.mock("@ledgerhq/live-common/mock/account", () => ({
+  genAccount: (...args: unknown[]) => Reflect.apply(mockGenAccount, null, args),
+}));
+
+const mockDispatch = jest.fn();
+jest.mock("~/context/hooks", () => ({
+  ...jest.requireActual("~/context/hooks"),
+  useDispatch: () => mockDispatch,
+}));
+
+jest.mock("~/actions/accounts", () => ({
+  replaceAccounts: jest.fn((accounts: unknown) => ({ type: "REPLACE_ACCOUNTS", accounts })),
+}));
+
+jest.mock("~/actions/appstate", () => ({
+  reboot: jest.fn(() => ({ type: "REBOOT" })),
+}));
+
+describe("GenerateMockAccountsButton", () => {
+  let alertSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    alertSpy = jest
+      .spyOn(Alert, "alert")
+      .mockImplementation(
+        (_title: string, _message?: string, buttons?: Array<{ text?: string; onPress?: () => void }>) => {
+          const okButton = buttons?.find(b => b.text === "Ok");
+          if (okButton?.onPress) okButton.onPress();
+        },
+      );
+  });
+
+  afterEach(() => {
+    alertSpy.mockRestore();
+  });
+
+  it("should call genAccount with uuid when generating mock accounts", async () => {
+    const { user } = render(
+      <GenerateMockAccountsButton count={2} title="Generate" desc="Description" />,
+    );
+
+    const row = await screen.findByText("Generate");
+    await user.press(row);
+
+    expect(mockGenAccount).toHaveBeenCalled();
+    expect(
+      mockGenAccount.mock.calls.every((call: unknown[]) => call[0] === "mock-uuid-for-accounts"),
+    ).toBe(true);
+  });
+
+  it("should pass a uuid-shaped seed to genAccount for each account", async () => {
+    const { user } = render(
+      <GenerateMockAccountsButton count={3} title="Generate" desc="Description" />,
+    );
+
+    const row = await screen.findByText("Generate");
+    await user.press(row);
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+    expect(mockGenAccount).toHaveBeenCalledTimes(3);
+    mockGenAccount.mock.calls.forEach((call: unknown[]) => {
+      expect(String(call[0])).toMatch(uuidRegex);
+    });
+  });
+});