Closed jmhooper closed 1 month ago
aduth
commented
1 month ago The implementation of
AbTest#bucketchecks if the discriminator resolved by this discriminator block is blank and returnsnilif it is (ref).
Alternatively, maybe this should check .nil? ? I don't know if we're expecting other values to follow this code path (e.g. false, empty string '')
jmhooper
commented
1 month ago I figured it was safest to change the implementation in the ReCaptcha bucket to avoid any possible side-effects. I'm not sure why we use #blank? and not #nil?, but it looks like it has been there since the beginning.
Another thought is that SecureRandom.alphanumeric(1) has a much smaller set of values it can generate. That could lead to issues where you don't see anybody sorted into buckets with small percentages. WDYT of changing that to something like SecureRandom.alphanumeric(8)?
aduth
commented
1 month ago That seems fine, yeah 👍
The
RECAPTCHA_SIGN_INA/B test has a discriminator block that does the following:nilif captcha was not performedThe implementation of
AbTest#bucketchecks if the discriminator resolved by this discriminator block is blank and returnsnilif it is (ref).The
blank?method has a special implementation forString(ref) that returnstrueif the string consists of only whitespace.The random value here was generated using
SecureRandom.gen_random. This value was then used in theAbTest#bucketto randomly sort unidentified users into AB test buckets.SecureRandom.gen_randomreturns a string of random bytes which can include" ","\n","\r", etc.The combination of the above meant that the discriminator could generate a value that caused the
AbTest#bucketto returnnilforRECAPTCHA_SIGN_INwhen it was intended to return a bucket. This lead to a flaky test (this spec tests that the bucket is not nil; it is nil in the case whereSecureRandom.gen_randomreturns a blank string).This commit changes the call to
SecureRandomso that it only ever generates alphanumeric strings which will never be blank.