@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/src/sast/redos-nfa.js

@@ -0,0 +1,338 @@
+// ReDoS NFA analyzer — detects catastrophic backtracking in regex patterns.
+//
+// Builds a simplified NFA from a regex body string and detects superlinear
+// ambiguity: two distinct paths through a quantifier cycle that accept the
+// same character. This is the core condition for exponential backtracking.
+//
+// Scope: character classes, alternation, quantifiers (+*?{n,m}), groups,
+// escapes, anchors. Unknown constructs → treated as safe (opaque atom).
+// Body-length cap: 500 chars → skip (too complex for static analysis).
+//
+// Also exports extractors for Python re.compile() and Java Pattern.compile().
+
+const MAX_BODY_LEN = 500;
+
+// ── Regex parser ────────────────────────────────────────────────────────────
+
+function parseRegex(body) {
+  let pos = 0;
+  const src = body;
+
+  function peek() { return pos < src.length ? src[pos] : null; }
+  function advance() { return src[pos++]; }
+
+  function parseAlternation() {
+    const branches = [parseConcat()];
+    while (peek() === '|') {
+      advance();
+      branches.push(parseConcat());
+    }
+    return branches.length === 1 ? branches[0] : { type: 'alt', branches };
+  }
+
+  function parseConcat() {
+    const items = [];
+    while (pos < src.length && peek() !== ')' && peek() !== '|') {
+      items.push(parseQuantified());
+    }
+    return items.length === 1 ? items[0] : { type: 'concat', items };
+  }
+
+  function parseQuantified() {
+    let atom = parseAtom();
+    if (!atom) return { type: 'literal', ch: '' };
+    while (pos < src.length) {
+      const c = peek();
+      if (c === '*') { advance(); atom = { type: 'star', child: atom }; }
+      else if (c === '+') { advance(); atom = { type: 'plus', child: atom }; }
+      else if (c === '?') { advance(); atom = { type: 'opt', child: atom }; }
+      else if (c === '{') {
+        const saved = pos;
+        advance();
+        let numStr = '';
+        while (pos < src.length && /[\d,]/.test(peek())) numStr += advance();
+        if (peek() === '}') {
+          advance();
+          const parts = numStr.split(',');
+          const max = parts.length > 1 ? (parts[1] ? parseInt(parts[1]) : Infinity) : parseInt(parts[0]);
+          if (max > 1 || max === Infinity) {
+            atom = { type: 'star', child: atom };
+          }
+        } else {
+          pos = saved;
+          break;
+        }
+      } else break;
+      if (peek() === '?') advance(); // lazy modifier
+    }
+    return atom;
+  }
+
+  function parseAtom() {
+    const c = peek();
+    if (c === null || c === ')' || c === '|') return null;
+    if (c === '(') {
+      advance();
+      if (peek() === '?') {
+        advance();
+        // Non-capturing group or lookahead — skip modifier chars
+        while (pos < src.length && peek() !== ':' && peek() !== ')' && /[imsx<!=P]/.test(peek())) advance();
+        if (peek() === ':' || peek() === ')') {
+          if (peek() === ':') advance();
+          if (peek() === ')') { advance(); return { type: 'literal', ch: '' }; }
+        }
+      }
+      const inner = parseAlternation();
+      if (peek() === ')') advance();
+      return { type: 'group', child: inner };
+    }
+    if (c === '[') return parseCharClass();
+    if (c === '\\') {
+      advance();
+      const esc = advance();
+      if (!esc) return { type: 'literal', ch: '\\' };
+      if (esc === 'd') return { type: 'class', chars: '0123456789' };
+      if (esc === 'w') return { type: 'class', chars: 'azAZ09_' };
+      if (esc === 's') return { type: 'class', chars: ' \t\n\r' };
+      if (esc === 'D' || esc === 'W' || esc === 'S') return { type: 'class', chars: 'ANY' };
+      if (esc === 'b' || esc === 'B') return { type: 'literal', ch: '' }; // anchor
+      return { type: 'literal', ch: esc };
+    }
+    if (c === '.') { advance(); return { type: 'class', chars: 'ANY' }; }
+    if (c === '^' || c === '$') { advance(); return { type: 'literal', ch: '' }; }
+    advance();
+    return { type: 'literal', ch: c };
+  }
+
+  function parseCharClass() {
+    advance(); // [
+    let chars = '';
+    let negated = false;
+    if (peek() === '^') { negated = true; advance(); }
+    if (peek() === ']') { chars += advance(); }
+    while (pos < src.length && peek() !== ']') {
+      if (peek() === '\\') {
+        advance();
+        const esc = advance();
+        if (esc === 'd') chars += '0123456789';
+        else if (esc === 'w') chars += 'azAZ09_';
+        else if (esc === 's') chars += ' \t\n\r';
+        else chars += (esc || '');
+      } else {
+        chars += advance();
+      }
+    }
+    if (peek() === ']') advance();
+    return { type: 'class', chars: negated ? 'ANY' : chars };
+  }
+
+  try {
+    const tree = parseAlternation();
+    return { ok: true, tree };
+  } catch {
+    return { ok: false, tree: null };
+  }
+}
+
+// ── Ambiguity detection ─────────────────────────────────────────────────────
+
+function classOverlaps(a, b) {
+  if (a === 'ANY' || b === 'ANY') return true;
+  for (const ch of a) {
+    if (b.includes(ch)) return true;
+  }
+  return false;
+}
+
+function collectFirstChars(node) {
+  if (!node) return [];
+  switch (node.type) {
+    case 'literal':
+      return node.ch ? [node.ch] : [];
+    case 'class':
+      return [node.chars];
+    case 'group':
+      return collectFirstChars(node.child);
+    case 'concat':
+      for (const item of (node.items || [])) {
+        const fc = collectFirstChars(item);
+        if (fc.length) return fc;
+        if (!canBeEmpty(item)) return fc;
+      }
+      return [];
+    case 'alt':
+      return (node.branches || []).flatMap(collectFirstChars);
+    case 'star':
+    case 'plus':
+    case 'opt':
+      return collectFirstChars(node.child);
+    default:
+      return [];
+  }
+}
+
+function canBeEmpty(node) {
+  if (!node) return true;
+  switch (node.type) {
+    case 'literal': return !node.ch;
+    case 'class': return false;
+    case 'group': return canBeEmpty(node.child);
+    case 'concat': return (node.items || []).every(canBeEmpty);
+    case 'alt': return (node.branches || []).some(canBeEmpty);
+    case 'star': case 'opt': return true;
+    case 'plus': return canBeEmpty(node.child);
+    default: return false;
+  }
+}
+
+function detectSuperlinear(tree) {
+  if (!tree) return { unsafe: false };
+  const reasons = [];
+  _walk(tree, reasons, 0);
+  return reasons.length ? { unsafe: true, reason: reasons[0] } : { unsafe: false };
+}
+
+function _walk(node, reasons, quantifierDepth) {
+  if (!node || reasons.length) return;
+  switch (node.type) {
+    case 'star':
+    case 'plus': {
+      if (quantifierDepth > 0) {
+        reasons.push('nested quantifier');
+        return;
+      }
+      _walk(node.child, reasons, quantifierDepth + 1);
+      // Unwrap group to check inner structure
+      const inner = node.child && node.child.type === 'group' ? node.child.child : node.child;
+      if (inner && inner.type === 'alt') {
+        const branches = inner.branches || [];
+        for (let i = 0; i < branches.length; i++) {
+          const fc_i = collectFirstChars(branches[i]);
+          for (let j = i + 1; j < branches.length; j++) {
+            const fc_j = collectFirstChars(branches[j]);
+            for (const a of fc_i) {
+              for (const b of fc_j) {
+                if (classOverlaps(a, b)) {
+                  reasons.push('alternation ambiguity under quantifier');
+                  return;
+                }
+              }
+            }
+          }
+        }
+      }
+      if (inner && inner.type === 'concat') {
+        const items = inner.items || [];
+        if (items.length >= 2) {
+          const first = collectFirstChars(items[0]);
+          for (let k = 1; k < items.length; k++) {
+            // Check if all items before k can be empty (nullable prefix)
+            const prefixNullable = items.slice(0, k).every(canBeEmpty);
+            const prevNullable = canBeEmpty(items[k - 1]) || items[k - 1].type === 'star' || items[k - 1].type === 'opt';
+            if (prevNullable || prefixNullable) {
+              const fc_k = collectFirstChars(items[k]);
+              for (const a of first) {
+                for (const b of fc_k) {
+                  if (classOverlaps(a, b)) {
+                    reasons.push('overlapping nullable prefix in quantifier');
+                    return;
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+      break;
+    }
+    case 'opt':
+      _walk(node.child, reasons, quantifierDepth);
+      break;
+    case 'group':
+      _walk(node.child, reasons, quantifierDepth);
+      break;
+    case 'concat':
+      for (const item of (node.items || [])) _walk(item, reasons, quantifierDepth);
+      break;
+    case 'alt':
+      for (const b of (node.branches || [])) _walk(b, reasons, quantifierDepth);
+      break;
+    default:
+      break;
+  }
+}
+
+// ── Public API ──────────────────────────────────────────────────────────────
+
+export function isUnsafeRegex(body) {
+  if (!body || typeof body !== 'string') return { unsafe: false };
+  if (body.length > MAX_BODY_LEN) return { unsafe: false };
+  if (!/[*+{]/.test(body)) return { unsafe: false };
+  const parsed = parseRegex(body);
+  if (!parsed.ok) return { unsafe: false };
+  return detectSuperlinear(parsed.tree);
+}
+
+export function extractJsRegexBodies(code) {
+  const out = [];
+  // Regex literals: /pattern/flags
+  for (const m of code.matchAll(/\/([^/\n]+)\/[gimsuy]*/g)) {
+    out.push({ body: m[1], line: code.slice(0, m.index).split('\n').length });
+  }
+  // new RegExp("pattern")
+  for (const m of code.matchAll(/new\s+RegExp\s*\(\s*['"]([^'"]+)['"]/g)) {
+    out.push({ body: m[1], line: code.slice(0, m.index).split('\n').length });
+  }
+  return out;
+}
+
+export function extractPyRegexBodies(code) {
+  const out = [];
+  for (const m of code.matchAll(/\bre\.(?:compile|match|search|sub|findall|fullmatch)\s*\(\s*r?['"]((?:\\.|[^'"\n])+)['"]/g)) {
+    out.push({ body: m[1], line: code.slice(0, m.index).split('\n').length });
+  }
+  return out;
+}
+
+export function extractJavaRegexBodies(code) {
+  const out = [];
+  for (const m of code.matchAll(/\bPattern\.compile\s*\(\s*"((?:\\.|[^"\n])+)"/g)) {
+    out.push({ body: m[1].replace(/\\\\/g, '\\'), line: code.slice(0, m.index).split('\n').length });
+  }
+  for (const m of code.matchAll(/\.matches\s*\(\s*"((?:\\.|[^"\n])+)"/g)) {
+    out.push({ body: m[1].replace(/\\\\/g, '\\'), line: code.slice(0, m.index).split('\n').length });
+  }
+  return out;
+}
+
+export function scanRegexReDoS(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  const findings = [];
+  let bodies = [];
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(file)) bodies = extractJsRegexBodies(raw);
+  else if (/\.py$/i.test(file)) bodies = extractPyRegexBodies(raw);
+  else if (/\.java$/i.test(file)) bodies = extractJavaRegexBodies(raw);
+  else return [];
+
+  for (const { body, line } of bodies) {
+    const result = isUnsafeRegex(body);
+    if (result.unsafe) {
+      findings.push({
+        id: `redos-nfa:${file}:${line}`,
+        file,
+        line,
+        vuln: 'ReDoS — Catastrophic Backtracking (NFA analysis)',
+        severity: 'high',
+        family: 'redos',
+        cwe: 'CWE-1333',
+        parser: 'NFA',
+        confidence: 0.85,
+        description: `Regex pattern has ${result.reason}. A crafted input can cause exponential backtracking, consuming 100% CPU.`,
+        remediation: 'Rewrite the regex to avoid nested quantifiers and overlapping alternation. Consider using the re2 library for guaranteed linear-time matching.',
+        snippet: `/${body.slice(0, 60)}${body.length > 60 ? '...' : ''}/`,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/sensitive-data-logging.js

@@ -0,0 +1,73 @@
+// Sensitive data logging detector.
+//
+// Flags PII-named variables sent to logging sinks without sanitization.
+// Covers JS (console/winston/pino/bunyan), Python (logging/print),
+// Go (log/fmt.Printf).
+
+const PII_CONTEXT = /\b(email|ssn|password|phone|dob|date_of_birth|credit_card|card_number|social_security|passport|medical_record|ip_address|first_name|last_name|address|zip_code|bank_account)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const LANG_SINKS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    sinks: [
+      /\bconsole\.(?:log|warn|error|info|debug|trace)\s*\(/g,
+      /\blogger\.(?:log|info|warn|error|debug|trace|fatal)\s*\(/g,
+      /\b(?:winston|pino|bunyan|log4js)(?:\.\w+)*\.(?:info|warn|error|debug|log)\s*\(/g,
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    sinks: [
+      /\blogging\.(?:info|warning|error|debug|critical)\s*\(/g,
+      /\blogger\.(?:info|warning|error|debug|critical)\s*\(/g,
+      /\bprint\s*\(/g,
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    sinks: [
+      /\blog\.(?:Printf|Println|Print|Fatalf|Fatal)\s*\(/g,
+      /\bfmt\.(?:Printf|Println|Print|Fprintf)\s*\(/g,
+    ],
+  },
+};
+
+export function scanSensitiveDataLogging(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const v of Object.values(LANG_SINKS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const sinkRe of lang.sinks) {
+    sinkRe.lastIndex = 0;
+    for (const m of raw.matchAll(sinkRe)) {
+      const lineNum = _line(raw, m.index);
+      const lineEnd = raw.indexOf('\n', m.index);
+      const lineText = raw.slice(m.index, lineEnd > 0 ? lineEnd : m.index + 200);
+      if (!PII_CONTEXT.test(lineText)) continue;
+      // Skip if the line contains redaction/masking
+      if (/\b(?:redact|mask|sanitize|censor|scrub|\*{3,}|\.{3}|slice\s*\(\s*0\s*,\s*\d\s*\))\b/i.test(lineText)) continue;
+      findings.push({
+        id: `sensitive-log:${fp}:${lineNum}`,
+        file: fp, line: lineNum,
+        vuln: 'Sensitive Data Logged — PII-named variable sent to logger without sanitization',
+        severity: 'medium',
+        family: 'sensitive-data-logging',
+        cwe: 'CWE-532',
+        parser: 'PII-LOG',
+        confidence: 0.70,
+        description: 'A variable with a PII-related name (email, password, ssn, etc.) is logged without redaction. Log aggregators, crash reporters, and stdout can expose this data.',
+        remediation: 'Redact sensitive fields before logging: logger.info("Login", { email: email.slice(0, 3) + "***" }). Never log passwords, SSNs, or credit card numbers.',
+        snippet: lineText.trim().slice(0, 100),
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/weak-password-hash.js

@@ -0,0 +1,77 @@
+// Weak password hashing detector.
+//
+// Context-gated: only fires when the hash input variable is named
+// password/secret/credential or the enclosing function is password-related.
+// Detects MD5/SHA1 without salt for password storage.
+
+const PASSWORD_CONTEXT = /\b(password|passwd|pwd|secret|credential|passphrase|pass_hash|user_pass)\b/i;
+const PASSWORD_FUNC = /\b(hashPassword|encryptPassword|checkPassword|verifyPassword|createHash|setPassword|validatePassword|hash_password|check_password)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    rules: [
+      { re: /\bcreateHash\s*\(\s*['"](?:md5|sha1|sha-1|md4)['"]\s*\)[\s\S]{0,60}\.update\s*\(\s*(\w+)/g, label: 'createHash with weak algorithm' },
+      { re: /\bmd5\s*\(\s*(\w+)/g, label: 'md5() function call' },
+      { re: /\bsha1\s*\(\s*(\w+)/g, label: 'sha1() function call' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    rules: [
+      { re: /\bhashlib\.(?:md5|sha1)\s*\(\s*(\w+)/g, label: 'hashlib.md5/sha1' },
+      { re: /\bhashlib\.new\s*\(\s*['"](?:md5|sha1)['"]\s*\)[\s\S]{0,40}\.update\s*\(\s*(\w+)/g, label: 'hashlib.new with weak algorithm' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    rules: [
+      { re: /\bmd5\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'md5.Sum/New' },
+      { re: /\bsha1\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'sha1.Sum/New' },
+    ],
+  },
+};
+
+export function scanWeakPasswordHash(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const v of Object.values(PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.rules) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const inputVar = m[1] || '';
+      const line = _line(raw, m.index);
+      // Check context: password-named variable or password-related function
+      const funcStart = raw.lastIndexOf('\n', Math.max(0, m.index - 500));
+      const context = raw.slice(funcStart, m.index + m[0].length + 100);
+      if (!PASSWORD_CONTEXT.test(inputVar) && !PASSWORD_CONTEXT.test(context) && !PASSWORD_FUNC.test(context)) continue;
+      // Check for salt within 10 lines before
+      const before = raw.slice(Math.max(0, m.index - 400), m.index);
+      const hasSalt = /\b(salt|randomBytes|urandom|os\.urandom|crypto\.randomBytes|bcrypt|argon2|scrypt|pbkdf2)\b/i.test(before);
+      if (hasSalt) continue;
+
+      findings.push({
+        id: `weak-pw-hash:${fp}:${line}`,
+        file: fp, line,
+        vuln: `Weak Password Hashing — ${label} for password without salt`,
+        severity: 'critical',
+        family: 'weak-password-hash',
+        cwe: 'CWE-916',
+        parser: 'WEAK-PW-HASH',
+        confidence: 0.80,
+        description: `${label} used on a password-context variable without salt. MD5/SHA1 are fast hashes trivially reversed via rainbow tables. Unsalted hashes are cracked in seconds.`,
+        remediation: 'Use bcrypt (cost ≥ 12), argon2id, or scrypt. Never use MD5/SHA1/SHA256 for password storage.',
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/weak-randomness.js

@@ -0,0 +1,100 @@
+// Cross-language insecure randomness detector.
+//
+// Flags usage of non-cryptographic PRNGs when the result is assigned to a
+// security-sensitive variable (token, session, nonce, key, secret, etc.).
+//
+// Coverage:
+//   JS/TS: Math.random()
+//   Python: random.random(), random.randint(), random.choice(), random.uniform()
+//   Go: rand.Intn(), rand.Int(), rand.Float64(), rand.Int31(), rand.Int63()
+//   Ruby: rand(), Random.rand, Random.new.rand
+//   PHP: rand(), mt_rand(), array_rand(), shuffle()
+
+const SECURITY_CONTEXT = /\b(token|session|nonce|key|secret|password|otp|csrf|salt|code|pin|auth|reset|verify|captcha|challenge|ticket)\b/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+const LANG_PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    patterns: [
+      { re: /\bMath\.random\s*\(\s*\)/g, label: 'Math.random()' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    patterns: [
+      { re: /\brandom\.(?:random|randint|choice|uniform|randrange|sample|getrandbits)\s*\(/g, label: 'random module (non-crypto)' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    patterns: [
+      { re: /\brand\.(?:Intn|Int|Float64|Float32|Int31|Int63|Int31n|Int63n|Uint32|Uint64)\s*\(/g, label: 'math/rand (non-crypto)' },
+    ],
+  },
+  rb: {
+    ext: /\.rb$/i,
+    patterns: [
+      { re: /\b(?:rand\s*\(|Random\.(?:rand|new\.rand)\s*\()/g, label: 'Kernel.rand / Random.rand' },
+    ],
+  },
+  php: {
+    ext: /\.(?:php|phtml)$/i,
+    patterns: [
+      { re: /\b(?:rand|mt_rand|array_rand)\s*\(/g, label: 'rand() / mt_rand()' },
+    ],
+  },
+};
+
+export function scanWeakRandomness(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const [k, v] of Object.entries(LANG_PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.patterns) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const line = _line(raw, m.index);
+      const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+      const lineEnd = raw.indexOf('\n', m.index);
+      const lineText = raw.slice(lineStart, lineEnd > 0 ? lineEnd : raw.length);
+      if (!SECURITY_CONTEXT.test(lineText)) {
+        const prevLineStart = raw.lastIndexOf('\n', lineStart - 2) + 1;
+        const prevLine = raw.slice(prevLineStart, lineStart - 1);
+        if (!SECURITY_CONTEXT.test(prevLine)) continue;
+      }
+      findings.push({
+        id: `weak-rng:${fp}:${line}`,
+        file: fp,
+        line,
+        vuln: `Insecure Randomness — ${label} used for security-sensitive value`,
+        severity: 'high',
+        family: 'weak-rng',
+        cwe: 'CWE-330',
+        parser: 'WEAK-RNG',
+        confidence: 0.80,
+        description: `${label} is not cryptographically secure. An attacker can predict the output and forge tokens, bypass OTP, or guess session identifiers.`,
+        remediation: _remediation(fp),
+        snippet: lineText.trim().slice(0, 80),
+      });
+    }
+  }
+  return findings;
+}
+
+function _remediation(fp) {
+  if (/\.py$/i.test(fp)) return 'Use secrets.token_hex(32), secrets.token_urlsafe(32), or secrets.randbelow(n).';
+  if (/\.go$/i.test(fp)) return 'Use crypto/rand: n, _ := rand.Int(rand.Reader, big.NewInt(999999)).';
+  if (/\.rb$/i.test(fp)) return 'Use SecureRandom.hex(32) or SecureRandom.uuid.';
+  if (/\.(?:php|phtml)$/i.test(fp)) return 'Use random_bytes(32) or random_int(0, $max).';
+  return 'Use crypto.randomBytes(32).toString("hex") or crypto.getRandomValues().';
+}