Update URL secret generation to use Random.secure() (#2432)

jakemac53 · web-flow · commit fea78528304b · 2024-12-19T14:03:48.000-08:00
diff --git a/pkgs/test/CHANGELOG.md b/pkgs/test/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.25.14
+
+* Use secure random for url secrets.
+
 ## 1.25.13
 
 * Allow the latest version of `package:matcher`.
diff --git a/pkgs/test/lib/src/util/math.dart b/pkgs/test/lib/src/util/math.dart
@@ -2,19 +2,11 @@
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
+import 'dart:convert';
 import 'dart:math' as math;
 
-final _rand = math.Random();
+final _rand = math.Random.secure();
 
-/// Returns a random 32 character alphanumeric string ([a-zA-Z0-9]), which is
-/// suitable as a url secret.
-String randomUrlSecret() {
-  var buffer = StringBuffer();
-  while (buffer.length < 32) {
-    buffer.write(_alphaChars[_rand.nextInt(_alphaChars.length)]);
-  }
-  return buffer.toString();
-}
-
-const _alphaChars =
-    '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+/// Returns a random 64 bit token suitable as a url secret.
+String randomUrlSecret() =>
+    base64Url.encode(List.generate(8, (_) => _rand.nextInt(256)));
diff --git a/pkgs/test/pubspec.yaml b/pkgs/test/pubspec.yaml
@@ -1,5 +1,5 @@
 name: test
-version: 1.25.13
+version: 1.25.14
 description: >-
   A full featured library for writing and running Dart tests across platforms.
 repository: https://github.com/dart-lang/test/tree/master/pkgs/test
