Skip to content

fix(internet): generate long passwords without stack overflow#3946

Open
Shinigami92 wants to merge 5 commits into
nextfrom
fix-internet-password-stack-overflow
Open

fix(internet): generate long passwords without stack overflow#3946
Shinigami92 wants to merge 5 commits into
nextfrom
fix-internet-password-stack-overflow

Conversation

@Shinigami92

Copy link
Copy Markdown
Member

internet.password() generated the password by recursing once per character. For large length values this exhausted the JavaScript call stack and threw a raw RangeError: Maximum call stack size exceeded (reproducible from around length: 5000 upwards).

This PR rewrites the internal generator as a plain while loop, so the length is bounded only by normal time/memory rather than the call-stack depth.

Changes

  • internet.password(): replaced the recursive _password() helper with an iterative loop. The character generation, memorable handling, pattern matching, and prefix behaviour are unchanged.
  • Added a regression test that generates a 100,000-character password and asserts it succeeds (this threw a RangeError before).

Notes

  • No behavioural change: the random-number-generator call order and count are identical, so all seeded snapshots are unchanged.

@Shinigami92 Shinigami92 self-assigned this Jul 8, 2026
@Shinigami92 Shinigami92 requested a review from a team as a code owner July 8, 2026 16:04
@Shinigami92 Shinigami92 added c: bug Something isn't working m: internet Something is referring to the internet module labels Jul 8, 2026
@netlify

netlify Bot commented Jul 8, 2026

Copy link
Copy Markdown

Deploy Preview for fakerjs ready!

Name Link
🔨 Latest commit 3906a76
🔍 Latest deploy log https://app.netlify.com/projects/fakerjs/deploys/6a4faf0e8d7abc0008e2a094
😎 Deploy Preview https://deploy-preview-3946.fakerjs.dev
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Comment thread test/modules/internet.spec.ts Outdated
Comment thread src/modules/internet/module.ts Outdated
Co-authored-by: Shinigami <chrissi92@hotmail.de>
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.84%. Comparing base (c2cd91d) to head (3906a76).

Additional details and impacted files
@@            Coverage Diff             @@
##             next    #3946      +/-   ##
==========================================
- Coverage   98.84%   98.84%   -0.01%     
==========================================
  Files         923      923              
  Lines        3216     3215       -1     
  Branches      583      565      -18     
==========================================
- Hits         3179     3178       -1     
  Misses         33       33              
  Partials        4        4              
Files with missing lines Coverage Δ
src/modules/internet/module.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ST-DDT ST-DDT added the p: 1-normal Nothing urgent label Jul 8, 2026
@ST-DDT ST-DDT added this to the v10.x milestone Jul 8, 2026
ST-DDT
ST-DDT previously approved these changes Jul 8, 2026
Comment thread src/modules/internet/module.ts Outdated
ST-DDT
ST-DDT previously approved these changes Jul 8, 2026
Comment thread test/modules/internet.spec.ts
Comment thread src/modules/internet/module.ts
@xDivisionByZerox

Copy link
Copy Markdown
Member

This PR was created due to a security advisory we received. Wouldn't it be proper etiquette to:

  1. Label this PR with c: security Indicates a vulnerability or a potentially (security) risky change. ?
  2. Mention the vulnerability report (even if not visible for the public right now)?
  3. Give credit to the author of the report?

I never had to work on an actual "live" vulnerability/disclosure process myself so these are honest questions I'm asking.

@Shinigami92

Shinigami92 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

This PR was created due to a security advisory we received. Wouldn't it be proper etiquette to:

  1. Label this PR with


    c: security

    Indicates a vulnerability or a potentially (security) risky change.
    ?

  2. Mention the vulnerability report (even if not visible for the public right now)?

  3. Give credit to the author of the report?

I never had to work on an actual "live" vulnerability/disclosure process myself so these are honest questions I'm asking.

Actually I omitted all this by design, so e.g. AIs listening don't get that we are actually working on a fix for that 🫠 Now you exposed something that was privately gated behind the scenes.

@xDivisionByZerox

Copy link
Copy Markdown
Member

Now you exposed something that was privately gated behind the scenes.

The existence of this PR is sufficient information for anybody that is reading through the repo (your AI friends). I am not exposing anything that is not clear by looking at the patch you provided here itself. 🤷‍♀️

@Shinigami92

Copy link
Copy Markdown
Member Author

Now you exposed something that was privately gated behind the scenes.

The existence of this PR is sufficient information for anybody that is reading through the repo (your AI friends). I am not exposing anything that is not clear by looking at the patch you provided here itself. 🤷‍♀️

Sorry, I didn't want to be mean or toxic but a bit more funny while also kicking a thought process on your side.

For me it makes a difference if someone can search GitHub repos via api by security label and find unfixed bugs, or if they scan the repository with AI, because in the later one they at least took the effort (at least now) to spend money on the investigation.

But I think we can clearly all agree that open source code is open and therefore scannable. I just saw a difference on non obvious vs obvious.

But I'm thankful for the reviews and the hint to e.g. problem with the while loop, I will try to tackle this this evening after work. 🤝

@ST-DDT ST-DDT left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should deprecate a lot of the legacy options from this method immediately and remove them in v11.0.

Maybe even simplify the implememtation to length only and then expand it if demand exists using the generator type pattern outlined in the issue.

As for the current fix implementation:
The method pools the characters from a very limited set. Instead of verifying that the chosen character matches the pattern, we could pre filter all characters and then pass only the matching to fromCharacters.
If no character match, then that method should throw an error. This will likely also improve the performance of the method since it will no longer attempt to generate banned characters.

const vowels = [...].filter(regex.test)
const consonants = [...].filter(regex.test)
let useVowels = boolean();
let result = ''
for (i...length) {
  result += fromCharacters(useVowels ? vovels : consonants);
  useVowels = !useVowels;
}
return result;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c: bug Something isn't working m: internet Something is referring to the internet module p: 1-normal Nothing urgent

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants