RubyGems - zxcvbn - Versions diffs - 0.1.9 → 0.1.10 - Mend

zxcvbn 0.1.9 → 0.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a374558176fa132c830032ab3cf333483389b98ce54ef92bfd026400362a224
-  data.tar.gz: eb751fc63e94b4573144f66ef9cc343695104cd4461fd170931b5b5fa06e0ad2
+  metadata.gz: 2c519c7ba0712720763e56d09f829f3e23a1c7deb0684380da425613185d1916
+  data.tar.gz: dbd22f8b2d540d61e78db3e0be2eab4637dddb4b8bc585be3c4e78a64b56ed05
 SHA512:
-  metadata.gz: e50119ccf438121beee719afe200c7a2085c0a266f5c5595fb95bebc01a10fca980dec4df8a30374dc5f7cf7bb5c57708a7f71565877ee8885d6740e54e71d66
-  data.tar.gz: 1323dff6d9433298bc44c4a2632de42af7137629d02113e60f2a64f6d184967a27a13e161ff3d2404b6a58177d880465bd865cc4d95158bd33c07849ed0361f4
+  metadata.gz: 5e75faed712c76af15e06520f2606d94b9b65c319d02e5833a89d669b771f74061f986c88ad0ddcb8c78dca5f0298ae681155bad24f249df7c257f0bf3a18c27
+  data.tar.gz: cfad539afdfd6bf16a0d541a87cbbbf56f77212e4b89d8e676ead50d97b6058e2bcac2081092095594795823971149330ca49cd5aae94b43f4efff1b0e63adce

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,8 @@
+## [0.1.10] - 2023-10-15
+- [#10] Refactor implementation to avoid thread safety issues for user inputs
+  *Adam Kiczula (@adamkiczula)*
 ## [0.1.9] - 2023-01-27
 - [#6] [#7] Security/Performance fix to vulnerability to DoS attacks.

data/README.md CHANGED Viewed

@@ -95,7 +95,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 ## Contributing
-Bug reports and pull requests are welcome on GitHub at https://github.com/formigarafa/zxcvbn. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/zxcvbn/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/formigarafa/zxcvbn-rb. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/formigarafa/zxcvbn-rb/blob/master/CODE_OF_CONDUCT.md).
 ## License
@@ -103,4 +103,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 ## Code of Conduct
-Everyone interacting in the Zxcvbn project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/zxcvbn/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the Zxcvbn project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/formigarafa/zxcvbn-rb/blob/master/CODE_OF_CONDUCT.md).

data/lib/zxcvbn/matching.rb CHANGED Viewed

@@ -128,64 +128,65 @@ module Zxcvbn
     # ------------------------------------------------------------------------------
     # omnimatch -- combine everything ----------------------------------------------
     # ------------------------------------------------------------------------------
-    def self.omnimatch(password)
+    def self.omnimatch(password, user_inputs = [])
+      user_dict = build_user_input_dictionary(user_inputs)
       matches = []
-      matchers = [
-        :dictionary_match,
-        :reverse_dictionary_match,
-        :l33t_match,
-        :spatial_match,
-        :repeat_match,
-        :sequence_match,
-        :regex_match,
-        :date_match
-      ]
-      matchers.each do |matcher|
-        matches += send(matcher, password)
-      end
+      matches += dictionary_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES)
+      matches += reverse_dictionary_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES)
+      matches += l33t_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES, _l33t_table = L33T_TABLE)
+      matches += spatial_match(password, _graphs = GRAPHS)
+      matches += repeat_match(password, user_dict)
+      matches += sequence_match(password)
+      matches += regex_match(password, _regexen = REGEXEN)
+      matches += date_match(password)
       sorted(matches)
     end
     #-------------------------------------------------------------------------------
     # dictionary match (common passwords, english, last names, etc) ----------------
     #-------------------------------------------------------------------------------
-    def self.dictionary_match(password, _ranked_dictionaries = RANKED_DICTIONARIES)
+    def self.dictionary_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES)
       # _ranked_dictionaries variable is for unit testing purposes
       matches = []
+      _ranked_dictionaries.each do |dictionary_name, ranked_dict|
+        check_dictionary(matches, password, dictionary_name, ranked_dict)
+      end
+      check_dictionary(matches, password, "user_inputs", user_dict)
+      sorted(matches)
+    end
+    def self.check_dictionary(matches, password, dictionary_name, ranked_dict)
       len = password.length
       password_lower = password.downcase
-      _ranked_dictionaries.each do |dictionary_name, ranked_dict|
-        longest_dict_word_size = RANKED_DICTIONARIES_MAX_WORD_SIZE.fetch(dictionary_name) do
-          ranked_dict.keys.max_by(&:size)&.size || 0
-        end
-        search_width = [longest_dict_word_size, len].min
-        (0...len).each do |i|
-          search_end = [i + search_width, len].min
-          (i...search_end).each do |j|
-            if ranked_dict.key?(password_lower[i..j])
-              word = password_lower[i..j]
-              rank = ranked_dict[word]
-              matches << {
-                "pattern" => "dictionary",
-                "i" => i,
-                "j" => j,
-                "token" => password[i..j],
-                "matched_word" => word,
-                "rank" => rank,
-                "dictionary_name" => dictionary_name,
-                "reversed" => false,
-                "l33t" => false
-              }
-            end
+      longest_word_size = RANKED_DICTIONARIES_MAX_WORD_SIZE.fetch(dictionary_name) do
+        ranked_dict.keys.max_by(&:size)&.size || 0
+      end
+      search_width = [longest_word_size, len].min
+      (0...len).each do |i|
+        search_end = [i + search_width, len].min
+        (i...search_end).each do |j|
+          if ranked_dict.key?(password_lower[i..j])
+            word = password_lower[i..j]
+            rank = ranked_dict[word]
+            matches << {
+              "pattern" => "dictionary",
+              "i" => i,
+              "j" => j,
+              "token" => password[i..j],
+              "matched_word" => word,
+              "rank" => rank,
+              "dictionary_name" => dictionary_name,
+              "reversed" => false,
+              "l33t" => false
+            }
           end
         end
       end
-      sorted(matches)
     end
-    def self.reverse_dictionary_match(password, _ranked_dictionaries = RANKED_DICTIONARIES)
+    def self.reverse_dictionary_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES)
       reversed_password = password.reverse
-      matches = dictionary_match(reversed_password, _ranked_dictionaries)
+      matches = dictionary_match(reversed_password, user_dict, _ranked_dictionaries)
       matches.each do |match|
         match["token"] = match["token"].reverse
         match["reversed"] = true
@@ -195,10 +196,15 @@ module Zxcvbn
       sorted(matches)
     end
-    def self.user_input_dictionary=(ordered_list)
-      ranked_dict = build_ranked_dict(ordered_list.dup)
-      RANKED_DICTIONARIES["user_inputs"] = ranked_dict
-      RANKED_DICTIONARIES_MAX_WORD_SIZE["user_inputs"] = ranked_dict.keys.max_by(&:size)&.size || 0
+    def self.build_user_input_dictionary(user_inputs_or_dict)
+      # optimization: if we receive a hash, we've been given the dict back (from the repeat matcher)
+      return user_inputs_or_dict if user_inputs_or_dict.is_a?(Hash)
+      sanitized_inputs = []
+      user_inputs_or_dict.each do |arg|
+        sanitized_inputs << arg.to_s.downcase if arg.is_a?(String) || arg.is_a?(Numeric) || arg == true || arg == false
+      end
+      build_ranked_dict(sanitized_inputs)
     end
     #-------------------------------------------------------------------------------
@@ -287,13 +293,13 @@ module Zxcvbn
       sub_dicts
     end
-    def self.l33t_match(password, _ranked_dictionaries = RANKED_DICTIONARIES, _l33t_table = L33T_TABLE)
+    def self.l33t_match(password, user_dict, _ranked_dictionaries = RANKED_DICTIONARIES, _l33t_table = L33T_TABLE)
       matches = []
       enumerate_l33t_subs(relevant_l33t_subtable(password, _l33t_table)).each do |sub|
         break if sub.empty? # corner case: password has no relevant subs.
         subbed_password = translate(password, sub)
-        dictionary_match(subbed_password, _ranked_dictionaries).each do |match|
+        dictionary_match(subbed_password, user_dict, _ranked_dictionaries).each do |match|
           token = password[match["i"]..match["j"]]
           if token.downcase == match["matched_word"]
             next # only return the matches that contain an actual substitution
@@ -403,7 +409,7 @@ module Zxcvbn
     #-------------------------------------------------------------------------------
     # repeats (aaa, abcabcabc) and sequences (abcdef) ------------------------------
     #-------------------------------------------------------------------------------
-    def self.repeat_match(password)
+    def self.repeat_match(password, user_dict)
       matches = []
       greedy = /(.+)\1+/
       lazy = /(.+?)\1+/
@@ -436,7 +442,7 @@ module Zxcvbn
         i = match.begin(0)
         j = match.end(0) - 1
         # recursively match and score the base string
-        base_analysis = Scoring.most_guessable_match_sequence(base_token, omnimatch(base_token))
+        base_analysis = Scoring.most_guessable_match_sequence(base_token, omnimatch(base_token, user_dict))
         base_matches = base_analysis["sequence"]
         base_guesses = base_analysis["guesses"]
         matches << {

data/lib/zxcvbn/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Zxcvbn
-  VERSION = "0.1.9"
+  VERSION = "0.1.10"
 end

data/lib/zxcvbn.rb CHANGED Viewed

@@ -13,13 +13,7 @@ module Zxcvbn
   def self.zxcvbn(password, user_inputs = [])
     start = (Time.now.to_f * 1000).to_i
-    # reset the user inputs matcher on a per-request basis to keep things stateless
-    sanitized_inputs = []
-    user_inputs.each do |arg|
-      sanitized_inputs << arg.to_s.downcase if arg.is_a?(String) || arg.is_a?(Numeric) || arg == true || arg == false
-    end
-    Matching.user_input_dictionary = sanitized_inputs
-    matches = Matching.omnimatch(password)
+    matches = Matching.omnimatch(password, user_inputs)
     result = Scoring.most_guessable_match_sequence(password, matches)
     result["calc_time"] = (Time.now.to_f * 1000).to_i - start
     attack_times = TimeEstimates.estimate_attack_times(result["guesses"])

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zxcvbn
 version: !ruby/object:Gem::Version
-  version: 0.1.9
+  version: 0.1.10
 platform: ruby
 authors:
 - Rafael Santos
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-01-27 00:00:00.000000000 Z
+date: 2023-10-15 00:00:00.000000000 Z
 dependencies: []
 description: 100% native Ruby 100% compatible port of Dropbox's zxcvbn.js
 email:
@@ -52,7 +52,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: ''