Skip to content

refactor(vault): migrate Vault plugin to NestJS#1989

Closed
shikanime wants to merge 4 commits intopr1958from
pr1989
Closed

refactor(vault): migrate Vault plugin to NestJS#1989
shikanime wants to merge 4 commits intopr1958from
pr1989

Conversation

@shikanime
Copy link
Contributor

@shikanime shikanime commented Mar 11, 2026
edited
Loading

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 11, 2026
View reviewed changes
apps/server-nestjs/src/modules/gitlab/gitlab.service.ts
email,
username,
name,
password: Math.random().toString(36).slice(-8) + Math.random().toString(36).slice(-8), // Dummy password

Check failure

Code scanning / CodeQL

Insecure randomness

This uses a cryptographically insecure random number generated at [Math.random()](1) in a security context. This uses a cryptographically insecure random number generated at [Math.random()](2) in a security context.

Copilot Autofix

AI 4 days ago

In general, the fix is to replace uses of Math.random() for generating passwords with a cryptographically secure random generator. In Node.js, that means using crypto.randomBytes (or crypto.randomInt) to derive the password characters. We must keep the observable behavior similar (i.e., still provide an 16‑character random password string, or close to that), but strengthen the entropy source.

Concretely, in apps/server-nestjs/src/modules/gitlab/gitlab.service.ts, update the createUser method so that the password property no longer concatenates Math.random().toString(36).... Instead, import randomBytes from Node’s built‑in crypto module at the top of the file and define a small helper function (within the shown snippet) that generates an 16‑character base‑36‑style random string using randomBytes. Then call that helper in place of the current expression. This preserves the rough format (alphanumeric string) and length while ensuring the randomness is cryptographically secure. Only new import(s) from standard Node libraries will be added, and existing logic, parameters, and return types of createUser will remain unchanged.

Suggested changeset 1
apps/server-nestjs/src/modules/gitlab/gitlab.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/server-nestjs/src/modules/gitlab/gitlab.service.ts b/apps/server-nestjs/src/modules/gitlab/gitlab.service.ts
--- a/apps/server-nestjs/src/modules/gitlab/gitlab.service.ts
+++ b/apps/server-nestjs/src/modules/gitlab/gitlab.service.ts
@@ -6,6 +6,7 @@
 import { GitlabClientService } from './gitlab-client.service'
 import { INFRA_GROUP_PATH, MIRROR_REPO_NAME } from './gitlab.constant'
 import { join } from 'node:path'
+import { randomBytes } from 'node:crypto'
 
 @Injectable()
 export class GitlabService {
@@ -204,11 +205,12 @@
 
   async createUser(email: string, username: string, name: string) {
     // Note: This requires admin token usually
+    const password = randomBytes(12).toString('base64').slice(0, 16)
     return this.client.Users.create({
       email,
       username,
       name,
-      password: Math.random().toString(36).slice(-8) + Math.random().toString(36).slice(-8), // Dummy password
+      password, // Dummy password
       skipConfirmation: true,
     })
   }
EOF
@@ -6,6 +6,7 @@
import { GitlabClientService } from './gitlab-client.service'
import { INFRA_GROUP_PATH, MIRROR_REPO_NAME } from './gitlab.constant'
import { join } from 'node:path'
import { randomBytes } from 'node:crypto'

@Injectable()
export class GitlabService {
@@ -204,11 +205,12 @@

async createUser(email: string, username: string, name: string) {
// Note: This requires admin token usually
const password = randomBytes(12).toString('base64').slice(0, 16)
return this.client.Users.create({
email,
username,
name,
password: Math.random().toString(36).slice(-8) + Math.random().toString(36).slice(-8), // Dummy password
password, // Dummy password
skipConfirmation: true,
})
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
github-code-quality[bot]
github-code-quality bot found potential problems Mar 11, 2026
View reviewed changes
apps/server-nestjs/src/modules/argocd/argocd-datastore.service.ts Outdated
@@ -0,0 +1,63 @@
import { Inject, Injectable, Logger } from '@nestjs/common'
apps/server-nestjs/src/modules/gitlab/gitlab-datastore.service.ts Outdated
@@ -0,0 +1,80 @@
import { Inject, Injectable, Logger } from '@nestjs/common'
apps/server-nestjs/src/modules/keycloak/keycloak-datastore.service.ts Outdated
@@ -0,0 +1,50 @@
import { Inject, Injectable, Logger } from '@nestjs/common'
apps/server-nestjs/src/modules/vault/vault-datastore.service.ts Outdated
@@ -0,0 +1,43 @@
import { Inject, Injectable, Logger } from '@nestjs/common'
@shikanime shikanime changed the title chore(vault): migrate chore(vault): migrate Vault plugin to NestJS Mar 11, 2026
@shikanime shikanime changed the base branch from main to pr1958 March 11, 2026 08:24
This was referenced Mar 11, 2026
Closed
Merged
Closed
Draft
Open
@shikanime shikanime marked this pull request as draft March 11, 2026 08:25
@shikanime shikanime self-assigned this Mar 11, 2026
@shikanime shikanime force-pushed the pr1989 branch 2 times, most recently from 690fc10 to 1dbdd69 Compare March 11, 2026 09:46
@shikanime shikanime force-pushed the pr1958 branch 2 times, most recently from 32aba4d to 3f82528 Compare March 11, 2026 10:10
@shikanime shikanime mentioned this pull request Mar 11, 2026
Merged
@shikanime shikanime mentioned this pull request Mar 11, 2026
Merged
@shikanime shikanime force-pushed the pr1989 branch 2 times, most recently from ee9aa88 to ab83dd2 Compare March 11, 2026 10:48
@shikanime shikanime force-pushed the pr1958 branch 2 times, most recently from f9a38ee to 9e306ed Compare March 11, 2026 11:03
@shikanime shikanime force-pushed the pr1989 branch 2 times, most recently from 76ee371 to 8d6f11f Compare March 11, 2026 11:07
@shikanime shikanime force-pushed the pr1958 branch 2 times, most recently from 846c206 to c6e9a1f Compare March 12, 2026 09:46
@shikanime shikanime force-pushed the pr1989 branch 2 times, most recently from 2e33ab7 to a806baf Compare March 12, 2026 10:56
@shikanime shikanime mentioned this pull request Mar 12, 2026
Merged
This was referenced Mar 12, 2026
Closed
Merged
@shikanime
chore: add instrumentation
a61902d 
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
@shikanime
refactor(keycloak): migrate Keycloak plugin to NestJS
0b83064 
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
This was referenced Mar 12, 2026
Open
Open
@shikanime
refactor(argocd): migrate ArgoCD to NestJS
6f7f57a 
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
@shikanime shikanime mentioned this pull request Mar 12, 2026
Draft
@shikanime
refactor(vault): migrate Vault plugin to NestJS
dbacd0f 
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
@shikanime
Copy link
Contributor Author

shikanime commented Mar 12, 2026

Merged into #1958

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@shikanime shikanime

Labels

tech Technical issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shikanime