From 01dbd22c9c2347fffc28240e4a1bd9ccf509a24b Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Thu, 12 May 2022 13:58:18 +0200 Subject: Validate requested length is random string generator Signed-off-by: Vincent Petry --- lib/private/Security/SecureRandom.php | 7 ++++++- tests/lib/Security/SecureRandomTest.php | 17 ++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/lib/private/Security/SecureRandom.php b/lib/private/Security/SecureRandom.php index 4bf8995d737..cbd1dc8db6d 100644 --- a/lib/private/Security/SecureRandom.php +++ b/lib/private/Security/SecureRandom.php @@ -40,14 +40,19 @@ use OCP\Security\ISecureRandom; */ class SecureRandom implements ISecureRandom { /** - * Generate a random string of specified length. + * Generate a secure random string of specified length. * @param int $length The length of the generated string * @param string $characters An optional list of characters to use if no character list is * specified all valid base64 characters are used. * @return string + * @throws \LengthException if an invalid length is requested */ public function generate(int $length, string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string { + if ($length <= 0) { + throw new \LengthException('Invalid length specified: ' . $length . ' must be bigger than 0'); + } + $maxCharIndex = \strlen($characters) - 1; $randomString = ''; diff --git a/tests/lib/Security/SecureRandomTest.php b/tests/lib/Security/SecureRandomTest.php index 7257d52e8f5..c7ee76a96bb 100644 --- a/tests/lib/Security/SecureRandomTest.php +++ b/tests/lib/Security/SecureRandomTest.php @@ -16,7 +16,6 @@ use OC\Security\SecureRandom; class SecureRandomTest extends \Test\TestCase { public function stringGenerationProvider() { return [ - [0, 0], [1, 1], [128, 128], [256, 256], @@ -77,4 +76,20 @@ class SecureRandomTest extends \Test\TestCase { $matchesRegex = preg_match('/^'.$chars.'+$/', $randomString); $this->assertSame(1, $matchesRegex); } + + public static function invalidLengths() { + return [ + [0], + [-1], + ]; + } + + /** + * @dataProvider invalidLengths + */ + public function testInvalidLengths($length) { + $this->expectException(\LengthException::class); + $generator = $this->rng; + $generator->generate($length); + } } -- cgit v1.2.3