From d3ffe6fd43f5c3395ada933bb9d6bf6d2d552013 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Sat, 13 Dec 2025 00:57:49 -0500
Subject: [PATCH] release(v2.6.1): fix(folderManager): replace Math.random SVG
 IDs with crypto-based UID helper

---
 CHANGELOG.md               |  8 ++++++++
 public/css/styles.css      |  5 +++++
 public/js/folderManager.js | 18 ++++++++++++++++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1915690..695a59d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## Changes 12/13/2025 (v2.6.1)
+
+release(v2.6.1): fix(folderManager): replace Math.random SVG IDs with crypto-based UID helper
+
+- Add makeUid() using crypto.randomUUID() / crypto.getRandomValues() (with counter fallback) to avoid Math.random CodeQL findings.
+- Use makeUid() for folderSVG() clipPath IDs and recycleBinSVG() IDs to prevent collisions and satisfy security linting.
+- UI: tweak header button + header drop area icon padding for more consistent sizing.
+
 ## Changes 12/12/2025 (v2.6.0)
 
 release(v2.6.0): Harden downloads and refresh recycle bin + toolbar UX
diff --git a/public/css/styles.css b/public/css/styles.css
index bd9c032..8c943c1 100644
--- a/public/css/styles.css
+++ b/public/css/styles.css
@@ -979,6 +979,11 @@ label{font-size: 0.9rem;}
 @media (max-width: 600px) {
   .col-12.col-md-4.text-left{margin-left: -15px;}
 }
+
+  .header-buttons button:not(#userDropdownToggle),
+#headerDropArea .header-card-icon {
+  padding: 9px;
+}
 #fileListTitle{font-size: 1.8em;
     margin-top: 10px;
     margin-bottom: 10px;}
diff --git a/public/js/folderManager.js b/public/js/folderManager.js
index 202bab6..adf8ac3 100644
--- a/public/js/folderManager.js
+++ b/public/js/folderManager.js
@@ -34,6 +34,20 @@ function detachFolderModalsToBody() {
 document.addEventListener('DOMContentLoaded', detachFolderModalsToBody);
 
 const PAGE_LIMIT = 100;
+let _uidFallbackCounter = 0;
+
+// Generate stable-ish unique IDs using crypto when available (avoids Math.random CodeQL finding).
+function makeUid(prefix = 'uid') {
+  const cryptoObj = (typeof self !== 'undefined' && self.crypto) ? self.crypto : (typeof window !== 'undefined' ? window.crypto : undefined);
+  if (cryptoObj?.randomUUID) return `${prefix}-${cryptoObj.randomUUID()}`;
+  if (cryptoObj?.getRandomValues) {
+    const buf = new Uint32Array(2);
+    cryptoObj.getRandomValues(buf);
+    return `${prefix}-${buf[0].toString(36)}${buf[1].toString(36)}`;
+  }
+  _uidFallbackCounter = (_uidFallbackCounter + 1) % 0x7fffffff;
+  return `${prefix}-${Date.now().toString(36)}-${_uidFallbackCounter.toString(36)}`;
+}
 
 /* ----------------------
    Helpers: safe JSON + state
@@ -538,7 +552,7 @@ async function expandAncestors(targetFolder) {
    SVG icon helpers
 ----------------------*/
 export function folderSVG(kind = 'empty', { locked = false } = {}) {
-  const gid = 'g' + Math.random().toString(36).slice(2, 8);
+  const gid = makeUid('g');
   return `
 <svg viewBox="0 0 24 24" aria-hidden="true" focusable="false" style="display:block;shape-rendering:geometricPrecision">
   <defs>
@@ -1117,7 +1131,7 @@ function isSafeFolderPath(p) {
 const RECYCLE_BIN_ID = 'recycleBinRow';
 
 export function recycleBinSVG(filled = false, size = 24) {
-  const uid = `rb-${Math.random().toString(36).slice(2, 9)}`;
+  const uid = makeUid('rb');
 
   const level1Inside = filled ? `
     <!-- Level 1: inside the mouth (subtle) -->