fix(web-pkg)! creating biased random numbers from a cryptographically secure source

[odaysec]

web/packages/web-pkg/src/services/passwordPolicy/passwordPolicy.ts

Line 185 in 1bdd38c

const j = Math.floor((window.crypto.getRandomValues(new Uint8Array(1))[0] / 256) * (i + 1))

Fix the issue need to replace the biased division-based random index generation with a method that ensures uniform distribution. This can be achieved by using a rejection sampling approach, similar to the one used earlier in the getRandomCharsFromSet function. Specifically, we will calculate a setLimit for the array length and discard random values that fall outside this range. This ensures that the modulo operation produces unbiased results.

The changes will be made to the shuffle logic on lines 184–186.

---

References

Understanding “randomness”
Insecure Randomness
Rule - Use strong approved cryptographic algorithms
CWE-327

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests
• Documentation
• Maintenance (e.g. dependency updates or tooling)

Open tasks:

• ...

[update-docs]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[CLAassistant]

All committers have signed the CLA.

[LukasHirt]

Hello @odaysec, thank you for the contribution! Two small things. The CI lint pipeline is broken due to formatting. Also, we would kindly ask you to provide a changelog item https://github.com/owncloud/web/blob/master/changelog/README.md#create-changelog-items