From ce43151ca3cc27c8c45d2f5118d07ed9e1c268ae Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Fri, 26 Jun 2026 00:45:18 +0000 Subject: [PATCH 1/2] [Security] Harden client ID generation in ExtensionServerClient Replace insecure Math.random() with globalThis.crypto.randomUUID() when available to ensure a cryptographically secure and unique identifier. Includes a fallback for environments where randomUUID is not supported. --- .../src/ExtensionServerClient/ExtensionServerClient.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts index 507bfb5df73..84e953e43d2 100644 --- a/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts +++ b/packages/ui-extensions-server-kit/src/ExtensionServerClient/ExtensionServerClient.ts @@ -32,7 +32,10 @@ export class ExtensionServerClient implements ExtensionServer.Client { private uiExtensionsByUuid: Record = {} constructor(options: DeepPartial = {}) { - this.id = (Math.random() + 1).toString(36).substring(7) + this.id = + typeof globalThis.crypto?.randomUUID === 'function' + ? globalThis.crypto.randomUUID() + : (Math.random() + 1).toString(36).substring(7) this.options = getValidatedOptions({ ...options, connection: { From fc13eb4763518613c748c0ad91e8e00fe57bffe3 Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Fri, 26 Jun 2026 00:57:09 +0000 Subject: [PATCH 2/2] [Security] Harden client ID generation in ExtensionServerClient Replace insecure Math.random() with globalThis.crypto.randomUUID() when available to ensure a cryptographically secure and unique identifier. Includes a fallback for environments where randomUUID is not supported. Also includes an updated generated GraphQL type. --- packages/cli-kit/src/cli/api/graphql/admin/generated/types.d.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/cli-kit/src/cli/api/graphql/admin/generated/types.d.ts b/packages/cli-kit/src/cli/api/graphql/admin/generated/types.d.ts index 2da991ce827..9ce2584b9d6 100644 --- a/packages/cli-kit/src/cli/api/graphql/admin/generated/types.d.ts +++ b/packages/cli-kit/src/cli/api/graphql/admin/generated/types.d.ts @@ -232,6 +232,8 @@ export type OnlineStoreThemeFilesUserErrorsCode = | 'LESS_THAN_OR_EQUAL_TO' /** The record with the ID used as the input value couldn't be found. */ | 'NOT_FOUND' + /** Theme contextualization and condition types are not compatible with each other. */ + | 'THEME_CONTEXTUALIZATION_NOT_COMPATIBLE_WITH_CONDITION_TYPES' /** There are theme files with conflicts. */ | 'THEME_FILES_CONFLICT' /** This action is not available on your current plan. Please upgrade to access theme editing features. */