Merge pull request #79 from MercuryWorkshop/docs

Added Security Blueprint explaining how to implement secure coding practices for Contributors.
MercuryWorkshop · Sep 11, 2023 · cff00ad · cff00ad
2 parents 81fd3a4 + ce3d42e
commit cff00ad
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -28,3 +28,8 @@ If you are wondering what counts as a vulnerability, heres a good list:
 -   XSS in the Anura URL
 -   The ability to execute arbitrary code on the server hosting Anura(not in Anura itself, as this is an intended feature)
 -   The ability to crash Anura(As in for everyone, not just your browser session)
+
+
+## Implementing Security(For Project Members and Contributors)
+
+See [SECURITY-BP.md](./documentation/SECURITY-BP.md) for instructions on implementing security in your code.
diff --git a/documentation/SECURITY-BP.md b/documentation/SECURITY-BP.md
@@ -0,0 +1,24 @@
+# Security Blueprint
+This Document will explain what and how security features are implemented in AnuraOS. 
+
+
+
+## Secure Math
+
+In Anura, when coding in security sensitive context, we replace `Math.random()` with our own function `cryptoRandom()`.  `cryptoRandom()` is a direct replacement for `Math.random()` and the two are fully interchangeable.  If you would like to implement `cryptoRandom()` you can use the following steps(for TypeScript):
+
+ 1. If not already installed, run `npm install @types/node`
+ 2. Add `import * as crypto from "crypto";` to the head of whatever file in which you would like to replace `Math.random()`
+ 3. add the following function to your code:
+
+```ts
+function cryptoRandom() {
+  const typedArray = new Uint8Array(1);
+  const randomValue = crypto.getRandomValues(typedArray)[0];
+  const randomFloat = randomValue / Math.pow(2, 8);
+  return randomFloat;
+}
+```
+4. You can now replace `Math.random()` anywhere in your code with `cryptoRandom()`.
+
+## TODO