TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

secure_compare: Check byte size instead of length

Browse Source 
Match fixed_length_secure_compare's guard clause.

References #39142.
This commit is contained in:
Tietew 2021-04-03 01:45:29 +09:00 committed by GitHub
parent d264276288
commit 92b8cda4c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
activesupport/lib/active_support/security_utils.rb
View File

@ -31,7 +31,7 @@ def fixed_length_secure_compare(a, b)
# the secret length. This should be considered when using secure_compare # the secret length. This should be considered when using secure_compare
# to compare weak, short secrets to user input. # to compare weak, short secrets to user input.
def secure_compare(a, b) def secure_compare(a, b)
a.length == b.length && fixed_length_secure_compare(a, b) a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
end end
module_function :secure_compare module_function :secure_compare
end end

4
activesupport/test/security_utils_test.rb
View File

@ -9,6 +9,10 @@ def test_secure_compare_should_perform_string_comparison
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "b") assert_not ActiveSupport::SecurityUtils.secure_compare("a", "b")
end end
def test_secure_compare_return_false_on_bytesize_mismatch
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "\u{ff41}")
end
def test_fixed_length_secure_compare_should_perform_string_comparison def test_fixed_length_secure_compare_should_perform_string_comparison
assert ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "a") assert ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "a")
assert_not ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "b") assert_not ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "b")