Remove crypto.randomUUID dependency in favor of a custom function

[sejas]

What is this PR doing?

• Remove the crypto polyfill introduced on Add crypto to Polyfills improving Blueprint compatibility for Node  #1000
• Move the randomString from remote package to @php-wasm/util
• Created a new custom function randomFilename
• Replace the usage of crypto.randomUUID with randomFilename()

What problem is it solving?

crypto is a library that is available, but needs to be imported on node apps.

How is the problem addressed?

It replaces the function that generates a random value with our custom library

Testing Instructions

• CI tests pass

[kozer]

[ Question ] Why we increased the characters we are using in comparison with UUID?
UUID has 36 + 4 characters instead of 46.
Can we change that to be 40 instead?

[sejas]

Thanks for the correction. UUID actually is 36 characters long. Example 'd6c556d6-32b8-4bdf-b338-20a16e9860aa'.

A string containing a randomly generated, 36 character long v4 UUID.
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/randomUUID

I added a default length of 36 to randomString function.

https://github.com/WordPress/wordpress-playground/pull/1016/files#diff-0a926c4fcfdcd984fa42eaa66f44f2a5aea8bcde6576ee5ba04698402489ad65R1

[adamziel]

Thank you @sejas! One caveat would be that randomString() can return a string containing / which has a special meaning in the path. Also, by default it also uses symbols like !@#$%^&*. Perhaps exporting another utility function like randomFilename() would be more appropriate here after all.

[sejas]

@adamziel, Right!, I improved randomString to accept special characters as a parameter, and I created randomFilename to reuse the same function.

[dmsnell]

While I understand that the Playground has its own limited risk for security, I'm a bit surprised we removed a cryptographically-secure source of randomness in favor of one without that. Did we perform an audit to ensure that we don't need better randomness in the app? If all we're doing is creating a temporary filename for an in-memory database it seems harmless, but if we're using this for anything related to sensitive content then we may want to ensure we limit the use of this custom generator and warn people that it provides no cryptographic value.

[adamziel]

@dmsnell I agree. This PR is strictly about creating temporary files with random names, not cryptographic security. For anything security related we’ll still need to use crypto.