add support for secure-random

Author: erik-krogh

javascript/ql/src/Security/CWE-327/BadRandomness.ql

@@ -26,6 +26,10 @@ private DataFlow::SourceNode randomBufferSource() {
   )
   or
   result = DataFlow::globalVarRef("crypto").getAMethodCall("getRandomValues")
+  or
+  result = DataFlow::moduleImport("secure-random").getACall()
+  or
+  result = DataFlow::moduleImport("secure-random").getAMethodCall(["randomArray", "randomUint8Array", "randomBuffer"])
 }
 
 /**

javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected

@@ -5,3 +5,4 @@
 | bad-random.js:14:11:14:63 | Number( ... (0, 3)) | Using string concatenation on cryptographically random numbers produces biased results. |
 | bad-random.js:73:32:73:42 | byte / 25.6 | Using division on cryptographically random numbers produces biased results. |
 | bad-random.js:75:21:75:30 | byte % 100 | Using modulo on cryptographically random numbers produces biased results. |
+| bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on cryptographically random numbers produces biased results. |

javascript/ql/test/query-tests/Security/CWE-327/bad-random.js

@@ -74,4 +74,8 @@ function setSteps() {
         digits.push(byte % 8); // OK - 8 is a power of 2, so the result is unbiased.
         digits.push(byte % 100); // NOT OK
     }
-}
+}
+
+const secureRandom = require("secure-random");
+
+var bad = secureRandom(10)[0] + secureRandom(10)[0]; // NOT OK