diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2022-05-12 16:45:58 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-12 16:45:58 +0300 |
| commit | 32139610c5e11ee84c71cc1db3e58523f749aa27 (patch) | |
| tree | 015a97fa4209e186a6433650d3440bb5bdf7f89e | |
| parent | 33ffaad14bd15c8f6ed370b28bc83feec4f69980 (diff) | |
| parent | 01dbd22c9c2347fffc28240e4a1bd9ccf509a24b (diff) | |
Merge pull request #32355 from nextcloud/bugfix/noid/prevent-invalid-length
Validate requested length is random string generator
| -rw-r--r-- | lib/private/Security/SecureRandom.php | 7 | ||||
| -rw-r--r-- | tests/lib/Security/SecureRandomTest.php | 17 |
2 files changed, 22 insertions, 2 deletions
diff --git a/lib/private/Security/SecureRandom.php b/lib/private/Security/SecureRandom.php index 4bf8995d737..cbd1dc8db6d 100644 --- a/lib/private/Security/SecureRandom.php +++ b/lib/private/Security/SecureRandom.php @@ -40,14 +40,19 @@ use OCP\Security\ISecureRandom; */ class SecureRandom implements ISecureRandom { /** - * Generate a random string of specified length. + * Generate a secure random string of specified length. * @param int $length The length of the generated string * @param string $characters An optional list of characters to use if no character list is * specified all valid base64 characters are used. * @return string + * @throws \LengthException if an invalid length is requested */ public function generate(int $length, string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string { + if ($length <= 0) { + throw new \LengthException('Invalid length specified: ' . $length . ' must be bigger than 0'); + } + $maxCharIndex = \strlen($characters) - 1; $randomString = ''; diff --git a/tests/lib/Security/SecureRandomTest.php b/tests/lib/Security/SecureRandomTest.php index 7257d52e8f5..c7ee76a96bb 100644 --- a/tests/lib/Security/SecureRandomTest.php +++ b/tests/lib/Security/SecureRandomTest.php @@ -16,7 +16,6 @@ use OC\Security\SecureRandom; class SecureRandomTest extends \Test\TestCase { public function stringGenerationProvider() { return [ - [0, 0], [1, 1], [128, 128], [256, 256], @@ -77,4 +76,20 @@ class SecureRandomTest extends \Test\TestCase { $matchesRegex = preg_match('/^'.$chars.'+$/', $randomString); $this->assertSame(1, $matchesRegex); } + + public static function invalidLengths() { + return [ + [0], + [-1], + ]; + } + + /** + * @dataProvider invalidLengths + */ + public function testInvalidLengths($length) { + $this->expectException(\LengthException::class); + $generator = $this->rng; + $generator->generate($length); + } } |