Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check blocked words against alphabet case-insensitively #7

Merged
merged 1 commit into from
Aug 30, 2023

Conversation

aradalvand
Copy link
Contributor

@aradalvand aradalvand commented Aug 30, 2023

The blocklist should be treated case-insensitively, which it is in isBlockedId:

sqids-spec/src/index.ts

Lines 310 to 311 in 2127f4d

private isBlockedId(id: string): boolean {
id = id.toLowerCase();

...but not in the constructor during the "cleanup" of the blocklist. If you have an alphabet like this (only uppercase letters):

ABCDEFGHIJKLMNOPQRSTUVWXYZ

The logic for cleaning up the blocklist in the constructor will remove the entire blocklist:

sqids-spec/src/index.ts

Lines 49 to 63 in 2127f4d

// clean up blocklist:
// 1. all blocklist words should be lowercase
// 2. no words less than 3 chars
// 3. if some words contain chars that are not in the alphabet, remove those
const filteredBlocklist = new Set<string>();
const alphabetChars = alphabet.split('');
for (const word of blocklist) {
if (word.length >= 3) {
const wordChars = word.split('');
const intersection = wordChars.filter((c) => alphabetChars.includes(c));
if (intersection.length == wordChars.length) {
filteredBlocklist.add(word.toLowerCase());
}
}
}

Specifically because of this:

3. if some words contain chars that are not in the alphabet, remove those 

And more specifically this part

const intersection = wordChars.filter((c) => alphabetChars.includes(c));

Where includes is doing case-sensitive comparisons.

This means you could end up with IDs that contain profanity, e.g. FUCK, BITCH, SEXY, etc.

I haven't added tests yet because I want the bug to be acknowledged first.

@4kimov
Copy link
Member

4kimov commented Aug 30, 2023

Bug indeed acknowledged, well done! Let me add a test for my own sanity check.

@4kimov 4kimov merged commit 35511dc into sqids:main Aug 30, 2023
3 checks passed
4kimov added a commit that referenced this pull request Aug 30, 2023
@4kimov
Copy link
Member

4kimov commented Aug 30, 2023

@aradalvand Thoughts on 02d6116 testing for this?

@aradalvand
Copy link
Contributor Author

aradalvand commented Aug 30, 2023

@aradalvand Thoughts on 02d6116 testing for this?

Yeah it's good. I'll update sqids-dotnet accordingly.

@4kimov
Copy link
Member

4kimov commented Aug 30, 2023

Good. Thank you for the nice catch! 💪
I'll update as many as I can + create issues for others.

aradalvand added a commit to sqids/sqids-dotnet that referenced this pull request Aug 30, 2023
aradalvand added a commit to aradalvand/sqids-dotnet that referenced this pull request Aug 30, 2023
aradalvand added a commit to sqids/sqids-dotnet that referenced this pull request Aug 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants