From 01dbd22c9c2347fffc28240e4a1bd9ccf509a24b Mon Sep 17 00:00:00 2001
From: Vincent Petry <vincent@nextcloud.com>
Date: Thu, 12 May 2022 13:58:18 +0200
Subject: [PATCH] Validate requested length is random string generator

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
---
 lib/private/Security/SecureRandom.php   |  7 ++++++-
 tests/lib/Security/SecureRandomTest.php | 17 ++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/lib/private/Security/SecureRandom.php b/lib/private/Security/SecureRandom.php
index 4bf8995d737..cbd1dc8db6d 100644
--- a/lib/private/Security/SecureRandom.php
+++ b/lib/private/Security/SecureRandom.php
@@ -40,14 +40,19 @@ use OCP\Security\ISecureRandom;
  */
 class SecureRandom implements ISecureRandom {
 	/**
-	 * Generate a random string of specified length.
+	 * Generate a secure random string of specified length.
 	 * @param int $length The length of the generated string
 	 * @param string $characters An optional list of characters to use if no character list is
 	 * 							specified all valid base64 characters are used.
 	 * @return string
+	 * @throws \LengthException if an invalid length is requested
 	 */
 	public function generate(int $length,
 							 string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string {
+		if ($length <= 0) {
+			throw new \LengthException('Invalid length specified: ' . $length . ' must be bigger than 0');
+		}
+
 		$maxCharIndex = \strlen($characters) - 1;
 		$randomString = '';
 
diff --git a/tests/lib/Security/SecureRandomTest.php b/tests/lib/Security/SecureRandomTest.php
index 7257d52e8f5..c7ee76a96bb 100644
--- a/tests/lib/Security/SecureRandomTest.php
+++ b/tests/lib/Security/SecureRandomTest.php
@@ -16,7 +16,6 @@ use OC\Security\SecureRandom;
 class SecureRandomTest extends \Test\TestCase {
 	public function stringGenerationProvider() {
 		return [
-			[0, 0],
 			[1, 1],
 			[128, 128],
 			[256, 256],
@@ -77,4 +76,20 @@ class SecureRandomTest extends \Test\TestCase {
 		$matchesRegex = preg_match('/^'.$chars.'+$/', $randomString);
 		$this->assertSame(1, $matchesRegex);
 	}
+
+	public static function invalidLengths() {
+		return [
+			[0],
+			[-1],
+		];
+	}
+
+	/**
+	 * @dataProvider invalidLengths
+	 */
+	public function testInvalidLengths($length) {
+		$this->expectException(\LengthException::class);
+		$generator = $this->rng;
+		$generator->generate($length);
+	}
 }
-- 
2.39.5