-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: Add more keylen sanity checks in pbkdf2 #3029
Conversation
cc @bnoordhuis |
b9eaa43
to
d9d05fc
Compare
/cc @nodejs/collaborators - can I have one more LGTM? |
crypto.pbkdf2('password', 'salt', 1, NaN, assert.fail); | ||
}); | ||
|
||
// Should not work with NaN key length |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/NaN/negative/
One minor nit, otherwise LGTM |
// Should not work with Infinity key length | ||
assert.throws(function() { | ||
crypto.pbkdf2('password', 'salt', 1, Infinity, assert.fail); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check at least the type of error.
LGTM, except nits from @thefourtheye |
issue nodejs#2987 makes the point that crypto.pbkdf2 should not fail silently and accept invalid but numeric values like NaN and Infinity. We already check if the keylen is lower than 0, so extending that to NaN and Infinity should make sense. Fixes: nodejs#2987
d9d05fc
to
5550518
Compare
@indutny @thefourtheye @mscdex @bnoordhuis Updated, thanks for the remarks :) |
LGTM |
@bnoordhuis wanna merge? :) |
issue #2987 makes the point that crypto.pbkdf2 should not fail silently and accept invalid but numeric values like NaN and Infinity. We already check if the keylen is lower than 0, so extending that to NaN and Infinity should make sense. Fixes: #2987 PR-URL: #3029 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Thanks @johannhof :-) Landed in 6df47d6 |
issue #2987 makes the point that crypto.pbkdf2 should not fail silently and accept invalid but numeric values like NaN and Infinity. We already check if the keylen is lower than 0, so extending that to NaN and Infinity should make sense. Fixes: #2987 PR-URL: #3029 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
issue #2987 makes the point that crypto.pbkdf2 should not fail silently
and accept invalid but numeric values like NaN and Infinity. We already
check if the keylen is lower than 0, so extending that to NaN and
Infinity should make sense.
Fixes: #2987