From 179b719749c593bfb6ff8319791b2cc404fe3eb5 Mon Sep 17 00:00:00 2001
From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com>
Date: Sun, 28 Jun 2026 00:17:00 +0000
Subject: [PATCH] [Security] Harden client ID generation in
 ExtensionServerClient

Replaced predictable Math.random() with cryptographically secure
globalThis.crypto.randomUUID() when available to prevent predictable
client identifiers. Added a comment explaining the security check.
---
 .../src/ExtensionServerClient/ExtensionServerClient.ts      | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts
index 507bfb5df73..e0fe58adfd3 100644
--- a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts
+++ b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts
@@ -32,7 +32,11 @@ export class ExtensionServerClient implements ExtensionServer.Client {
   private uiExtensionsByUuid: Record<string, ExtensionServer.UIExtension> = {}
 
   constructor(options: DeepPartial<ExtensionServer.Options> = {}) {
-    this.id = (Math.random() + 1).toString(36).substring(7)
+    // Use a cryptographically secure random number generator if available to prevent predictable client IDs
+    this.id =
+      typeof globalThis.crypto?.randomUUID === 'function'
+        ? globalThis.crypto.randomUUID()
+        : (Math.random() + 1).toString(36).substring(7)
     this.options = getValidatedOptions({
       ...options,
       connection: {