Merge pull request #32355 from nextcloud/bugfix/noid/prevent-invalid-length

Validate requested length is random string generator
2022-05-12 15:45:58 +07:00 · 2022-05-12 15:45:58 +07:00 · 32139610c5
parent 33ffaad14b 01dbd22c9c
commit 32139610c5
2 changed files with 22 additions and 2 deletions
--- a/lib/private/Security/SecureRandom.php
+++ b/lib/private/Security/SecureRandom.php
@ -40,14 +40,19 @@ use OCP\Security\ISecureRandom;
 */
 class SecureRandom implements ISecureRandom {
 	/**
-	 * Generate a random string of specified length.
+	 * Generate a secure random string of specified length.
 	 * @param int $length The length of the generated string
 	 * @param string $characters An optional list of characters to use if no character list is
 	 * 							specified all valid base64 characters are used.
 	 * @return string
+	 * @throws \LengthException if an invalid length is requested
 	 */
 	public function generate(int $length,
 							 string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string {
+		if ($length <= 0) {
+			throw new \LengthException('Invalid length specified: ' . $length . ' must be bigger than 0');
+		}
+
 		$maxCharIndex = \strlen($characters) - 1;
 		$randomString = '';

--- a/tests/lib/Security/SecureRandomTest.php
+++ b/tests/lib/Security/SecureRandomTest.php
@ -16,7 +16,6 @@ use OC\Security\SecureRandom;
 class SecureRandomTest extends \Test\TestCase {
 	public function stringGenerationProvider() {
 		return [
-			[0, 0],
 			[1, 1],
 			[128, 128],
 			[256, 256],
@ -77,4 +76,20 @@ class SecureRandomTest extends \Test\TestCase {
 		$matchesRegex = preg_match('/^'.$chars.'+$/', $randomString);
 		$this->assertSame(1, $matchesRegex);
 	}
+
+	public static function invalidLengths() {
+		return [
+			[0],
+			[-1],
+		];
+	}
+
+	/**
+	 * @dataProvider invalidLengths
+	 */
+	public function testInvalidLengths($length) {
+		$this->expectException(\LengthException::class);
+		$generator = $this->rng;
+		$generator->generate($length);
+	}
 }