fix(internet): generate long passwords without stack overflow#3946
fix(internet): generate long passwords without stack overflow#3946Shinigami92 wants to merge 5 commits into
Conversation
✅ Deploy Preview for fakerjs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Co-authored-by: Shinigami <chrissi92@hotmail.de>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## next #3946 +/- ##
==========================================
- Coverage 98.84% 98.84% -0.01%
==========================================
Files 923 923
Lines 3216 3215 -1
Branches 583 565 -18
==========================================
- Hits 3179 3178 -1
Misses 33 33
Partials 4 4
🚀 New features to boost your workflow:
|
|
This PR was created due to a security advisory we received. Wouldn't it be proper etiquette to:
I never had to work on an actual "live" vulnerability/disclosure process myself so these are honest questions I'm asking. |
Actually I omitted all this by design, so e.g. AIs listening don't get that we are actually working on a fix for that 🫠 Now you exposed something that was privately gated behind the scenes.
|
The existence of this PR is sufficient information for anybody that is reading through the repo (your AI friends). I am not exposing anything that is not clear by looking at the patch you provided here itself. 🤷♀️ |
Sorry, I didn't want to be mean or toxic but a bit more funny while also kicking a thought process on your side. For me it makes a difference if someone can search GitHub repos via api by security label and find unfixed bugs, or if they scan the repository with AI, because in the later one they at least took the effort (at least now) to spend money on the investigation. But I think we can clearly all agree that open source code is open and therefore scannable. I just saw a difference on non obvious vs obvious. But I'm thankful for the reviews and the hint to e.g. problem with the while loop, I will try to tackle this this evening after work. 🤝 |
ST-DDT
left a comment
There was a problem hiding this comment.
IMO we should deprecate a lot of the legacy options from this method immediately and remove them in v11.0.
Maybe even simplify the implememtation to length only and then expand it if demand exists using the generator type pattern outlined in the issue.
As for the current fix implementation:
The method pools the characters from a very limited set. Instead of verifying that the chosen character matches the pattern, we could pre filter all characters and then pass only the matching to fromCharacters.
If no character match, then that method should throw an error. This will likely also improve the performance of the method since it will no longer attempt to generate banned characters.
const vowels = [...].filter(regex.test)
const consonants = [...].filter(regex.test)
let useVowels = boolean();
let result = ''
for (i...length) {
result += fromCharacters(useVowels ? vovels : consonants);
useVowels = !useVowels;
}
return result;
internet.password()generated the password by recursing once per character. For largelengthvalues this exhausted the JavaScript call stack and threw a rawRangeError: Maximum call stack size exceeded(reproducible from aroundlength: 5000upwards).This PR rewrites the internal generator as a plain
whileloop, so the length is bounded only by normal time/memory rather than the call-stack depth.Changes
internet.password(): replaced the recursive_password()helper with an iterative loop. The character generation,memorablehandling,patternmatching, andprefixbehaviour are unchanged.RangeErrorbefore).Notes