secure_compare: Check byte size instead of length
Match fixed_length_secure_compare's guard clause. References #39142.
This commit is contained in:
parent
d264276288
commit
92b8cda4c9
@ -31,7 +31,7 @@ def fixed_length_secure_compare(a, b)
|
|||||||
# the secret length. This should be considered when using secure_compare
|
# the secret length. This should be considered when using secure_compare
|
||||||
# to compare weak, short secrets to user input.
|
# to compare weak, short secrets to user input.
|
||||||
def secure_compare(a, b)
|
def secure_compare(a, b)
|
||||||
a.length == b.length && fixed_length_secure_compare(a, b)
|
a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
|
||||||
end
|
end
|
||||||
module_function :secure_compare
|
module_function :secure_compare
|
||||||
end
|
end
|
||||||
|
@ -9,6 +9,10 @@ def test_secure_compare_should_perform_string_comparison
|
|||||||
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "b")
|
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "b")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_secure_compare_return_false_on_bytesize_mismatch
|
||||||
|
assert_not ActiveSupport::SecurityUtils.secure_compare("a", "\u{ff41}")
|
||||||
|
end
|
||||||
|
|
||||||
def test_fixed_length_secure_compare_should_perform_string_comparison
|
def test_fixed_length_secure_compare_should_perform_string_comparison
|
||||||
assert ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "a")
|
assert ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "a")
|
||||||
assert_not ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "b")
|
assert_not ActiveSupport::SecurityUtils.fixed_length_secure_compare("a", "b")
|
||||||
|
Loading…
Reference in New Issue
Block a user