Use crypto.getRandomValues for guid/randomNumber with Math.random fallback, replace parseVersion regex with linear-time parser

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: niemyjski

packages/core/src/Utils.ts

@@ -27,7 +27,39 @@ export function getCookies(cookies: string, exclusions?: string[]): Record<strin
   return !isEmpty(result) ? result : null;
 }
 
+function getSecureCrypto(): Crypto | null {
+  const { crypto } = globalThis;
+  if (!crypto || typeof crypto.getRandomValues !== "function") {
+    return null;
+  }
+
+  return crypto;
+}
+
+function toHex(bytes: Uint8Array, start: number, length: number): string {
+  let result = "";
+  for (let index = start; index < start + length; index++) {
+    result += bytes[index].toString(16).padStart(2, "0");
+  }
+
+  return result;
+}
+
 export function guid(): string {
+  const crypto = getSecureCrypto();
+  if (crypto) {
+    if (typeof crypto.randomUUID === "function") {
+      return crypto.randomUUID();
+    }
+
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    bytes[6] = (bytes[6] & 0x0f) | 0x40;
+    bytes[8] = (bytes[8] & 0x3f) | 0x80;
+
+    return `${toHex(bytes, 0, 4)}-${toHex(bytes, 4, 2)}-${toHex(bytes, 6, 2)}-${toHex(bytes, 8, 2)}-${toHex(bytes, 10, 6)}`;
+  }
+
   function s4() {
     return Math.floor((1 + Math.random()) * 0x10000)
       .toString(16)
@@ -37,15 +69,101 @@ export function guid(): string {
   return s4() + s4() + "-" + s4() + "-" + s4() + "-" + s4() + "-" + s4() + s4() + s4();
 }
 
+function isDigitCode(code: number): boolean {
+  return code >= 48 && code <= 57;
+}
+
+function isVersionIdentifierCode(code: number): boolean {
+  return isDigitCode(code) || (code >= 65 && code <= 90) || (code >= 97 && code <= 122) || code === 45;
+}
+
+function readDigits(input: string, start: number): number {
+  let index = start;
+  while (index < input.length && isDigitCode(input.charCodeAt(index))) {
+    index++;
+  }
+
+  return index > start ? index : -1;
+}
+
+function readVersionIdentifiers(input: string, start: number): number {
+  let index = start;
+  while (index < input.length) {
+    const segmentStart = index;
+    while (index < input.length && isVersionIdentifierCode(input.charCodeAt(index))) {
+      index++;
+    }
+
+    if (index === segmentStart) {
+      return -1;
+    }
+
+    if (input[index] !== ".") {
+      return index;
+    }
+
+    index++;
+  }
+
+  return index;
+}
+
 export function parseVersion(source: string): string | null {
   if (!source) {
     return null;
   }
 
-  const versionRegex = /(v?((\d+)\.(\d+)(\.(\d+))?)(?:-([\dA-Za-z-]+(?:\.[\dA-Za-z-]+)*))?(?:\+([\dA-Za-z-]+(?:\.[\dA-Za-z-]+)*))?)/;
-  const matches = versionRegex.exec(source);
-  if (matches && matches.length > 0) {
-    return matches[0];
+  for (let index = 0; index < source.length; ) {
+    const start = index;
+    let cursor = index;
+
+    if (source[cursor] === "v") {
+      if (!isDigitCode(source.charCodeAt(cursor + 1))) {
+        index++;
+        continue;
+      }
+
+      cursor++;
+    } else if (!isDigitCode(source.charCodeAt(cursor))) {
+      index++;
+      continue;
+    }
+
+    const majorEnd = readDigits(source, cursor);
+    if (source[majorEnd] !== ".") {
+      index = majorEnd;
+      continue;
+    }
+
+    const minorEnd = readDigits(source, majorEnd + 1);
+    if (minorEnd === -1) {
+      index = majorEnd + 1;
+      continue;
+    }
+
+    let end = minorEnd;
+    if (source[end] === ".") {
+      const patchEnd = readDigits(source, end + 1);
+      if (patchEnd !== -1) {
+        end = patchEnd;
+      }
+    }
+
+    if (source[end] === "-") {
+      const preReleaseEnd = readVersionIdentifiers(source, end + 1);
+      if (preReleaseEnd !== -1) {
+        end = preReleaseEnd;
+      }
+    }
+
+    if (source[end] === "+") {
+      const buildEnd = readVersionIdentifiers(source, end + 1);
+      if (buildEnd !== -1) {
+        end = buildEnd;
+      }
+    }
+
+    return source.slice(start, end);
   }
 
   return null;
@@ -73,6 +191,14 @@ export function parseQueryString(query: string, exclusions?: string[]): Record<s
 }
 
 export function randomNumber(): number {
+  const crypto = getSecureCrypto();
+  if (crypto) {
+    const values = new Uint32Array(2);
+    crypto.getRandomValues(values);
+
+    return (values[0] & 0x1fffff) * 0x100000000 + values[1];
+  }
+
   return Math.floor(Math.random() * 9007199254740992);
 }
 
@@ -86,16 +212,15 @@ export function isMatch(input: string | undefined, patterns: string[], ignoreCas
     return false;
   }
 
-  const trim = /^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g;
-  input = (ignoreCase ? input.toLowerCase() : input).replace(trim, "");
+  input = (ignoreCase ? input.toLowerCase() : input).trim();
 
   return (patterns || []).some((pattern) => {
     if (typeof pattern !== "string") {
       return false;
     }
 
     if (pattern) {
-      pattern = (ignoreCase ? pattern.toLowerCase() : pattern).replace(trim, "");
+      pattern = (ignoreCase ? pattern.toLowerCase() : pattern).trim();
     }
 
     if (!pattern) {

packages/core/test/ExceptionlessClient.test.ts

@@ -1,4 +1,4 @@
-import { describe, expect, test } from "vitest";
+import { describe, expect, test, vi } from "vitest";
 
 import { ExceptionlessClient } from "#/ExceptionlessClient.js";
 import { KnownEventDataKeys } from "#/models/Event.js";
@@ -92,6 +92,24 @@ describe("ExceptionlessClient", () => {
     expect(client.config.serverUrl).toBe("https://localhost:5100");
   });
 
+  test("should create session identifiers without Math.random", async () => {
+    const client = new ExceptionlessClient();
+    client.config.apiKey = "UNIT_TEST_API_KEY";
+    client.config.useSessions(false, 60000, true);
+
+    const mathRandomSpy = vi.spyOn(Math, "random").mockImplementation(() => {
+      throw new Error("Math.random should not be used");
+    });
+
+    try {
+      const context = await client.submitSessionStart();
+      expect(client.config.currentSessionIdentifier).toMatch(/^[0-9a-f]{32}$/);
+      expect(context.event.reference_id).toBe(client.config.currentSessionIdentifier);
+    } finally {
+      mathRandomSpy.mockRestore();
+    }
+  });
+
   function createException(): ReferenceError {
     function throwError() {
       throw new ReferenceError("This is a test");

packages/core/test/Utils.test.ts

@@ -1,6 +1,6 @@
-import { describe, expect, test } from "vitest";
+import { describe, expect, test, vi } from "vitest";
 
-import { endsWith, isEmpty, isMatch, parseVersion, prune, startsWith, stringify, toBoolean } from "#/Utils.js";
+import { endsWith, guid, isEmpty, isMatch, parseVersion, prune, randomNumber, startsWith, stringify, toBoolean } from "#/Utils.js";
 
 describe("Utils", () => {
   function getObjectWithInheritedProperties(): unknown {
@@ -624,6 +624,38 @@ describe("Utils", () => {
     expect(parseVersion("https://cdnjs.cloudflare.com/BLAH/BLAH.min.js")).toBeNull();
   });
 
+  test("should parse semantic version labels without regex backtracking", () => {
+    expect(parseVersion("release/v1.2.3-rc.1+build.5/index.js")).toBe("v1.2.3-rc.1+build.5");
+    expect(parseVersion("release-1.2.3-.js")).toBe("1.2.3");
+  });
+
+  test("should generate guids without Math.random", () => {
+    const mathRandomSpy = vi.spyOn(Math, "random").mockImplementation(() => {
+      throw new Error("Math.random should not be used");
+    });
+
+    try {
+      expect(guid()).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+    } finally {
+      mathRandomSpy.mockRestore();
+    }
+  });
+
+  test("should generate random numbers without Math.random", () => {
+    const mathRandomSpy = vi.spyOn(Math, "random").mockImplementation(() => {
+      throw new Error("Math.random should not be used");
+    });
+
+    try {
+      const value = randomNumber();
+      expect(Number.isSafeInteger(value)).toBe(true);
+      expect(value).toBeGreaterThanOrEqual(0);
+      expect(value).toBeLessThan(9007199254740992);
+    } finally {
+      mathRandomSpy.mockRestore();
+    }
+  });
+
   describe("isEmpty", () => {
     const emptyValues = {
       undefined: undefined,
@@ -721,6 +753,10 @@ describe("Utils", () => {
     test('input: myPassword patterns [" * pAssword * "]', () => {
       expect(isMatch("myPassword", ["*pAssword*"])).toBe(true);
     });
+
+    test("should trim unicode whitespace without regex replacement", () => {
+      expect(isMatch("\uFEFF myPassword \u00A0", ["\uFEFF *password* \u00A0"])).toBe(true);
+    });
   });
 
   describe("startsWith", () => {