search

ai / nanoid

A tiny (124 bytes), secure, URL-friendly, unique string ID generator for JavaScript
https://zelark.github.io/nano-id-cc/
MIT License
24.22k stars 790 forks source link

Unverified input breaks nanoid #441

Closed marcbachmann closed 1 year ago

marcbachmann commented 1 year ago

If a string is passed as first parameter to nanoid after the function got called the first time (after something initialized), it breaks the module completely.

$ node
> const { nanoid } = await import("nanoid")
> nanoid()
'sWlakJEKSOw8U8ycEpaCh'
> nanoid('a')
''
> nanoid()
''

Where as the assertion works if it's called the first time.

$ node
> const { nanoid } = await import("nanoid")
> nanoid('a')
Uncaught:
RangeError [ERR_OUT_OF_RANGE]: The value of "size" is out of range. It must be >= 0 && <= 4294967296. Received NaN
    at __node_internal_captureLargerStackTrace (node:internal/errors:496:5)
    at new NodeError (node:internal/errors:405:5)
    at validateNumber (node:internal/validators:181:11)
    at __node_internal_ (node:buffer:393:3)
    at Function.allocUnsafe (node:buffer:414:3)
    at fillPool (file:///./node_modules/nanoid/index.js:8:19)
    at nanoid (file:///./node_modules/nanoid/index.js:39:3) {
  code: 'ERR_OUT_OF_RANGE'
}
ai commented 1 year ago

You should use TypeScript to prevent these issues.

We exports good types https://github.com/ai/nanoid/blob/main/index.d.ts#L15

Adding extra check is against nano-nature of this project.