TypeError: randomBytes is not a function

Question

TypeError: randomBytes is not a function

alfredriesen opened this issue 4 years ago · comments

I'm using serialize-javascript on server-side in v8js (PHP) - Context. There is no crypto.randomBytes available. Is there a way to fix this?

Ryuichi Okumura · Answer 1 · Thu Jun 04 2020 18:18:10 GMT+0800 (China Standard Time)

As far as I know, you are the first person to use this on a non Node.js environment.

I'm not sure about v8js, but I think it should work if you use an older version like v2.x or v3.0.0.

alfredriesen · Answer 2 · Fri Jun 05 2020 01:40:00 GMT+0800 (China Standard Time)

If I remain on v3.0.0, then the Snyk audit does not pass.
Issues to fix by upgrading: Upgrade serialize-javascript@3.0.0 to serialize-javascript@3.1.0 to fix ✗ Arbitrary Code Injection (new) [High Severity][https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in serialize-javascript@3.0.0 introduced by serialize-javascript@3.0.0 and 1 other path(s)

I tried to update only minimist to v1.2.5 in yarn.lock . But Snyk continue reporting the vulnerable path. Do I have any other options?

alfredriesen · Answer 3 · Fri Jun 05 2020 15:33:18 GMT+0800 (China Standard Time)

As a workaround I implemented a bridge PHP - Javascript for this function "randomBytes":

On Javascript:

const crypto = {
    randomBytes: function (val) {
        let newBuffer = new Uint8Array (val)
        let bytesNumbers = global.randomBytes(val) // refers to PHP $randomBytes
        return newBuffer.map((number,index) => bytesNumbers[index])
    },
}

On PHP:

$randomBytes = function (int $length) {
      return array_map(function ($i) { return ord($i); }, str_split(random_bytes($length)));
};

Now I can update to v3.1.0