search

chingfeng / vt-middleware

Automatically exported from code.google.com/p/vt-middleware
0 stars 0 forks source link

vt-password: RegexRule is not validated properly #207

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

Validation with regular expression is broken, it fails when password matches 
pattern but passes otherwise.

Execute the following code:

List<Rule> mandatoryRules = new ArrayList<Rule>();
PasswordValidator validator = new PasswordValidator(mandatoryRules);
String ALLOWED_CHARACTERS_REGEX = "[a]";
RegexRule regexRule = new RegexRule(ALLOWED_CHARACTERS_REGEX);
mandatoryRules.add(regexRule);
PasswordData passwordData = new PasswordData(new Password("a"));
RuleResult rulesValidationresult = validator.validate(passwordData);
if (rulesValidationresult.isValid()) {
    System.out.println("OK");
} else {
    System.out.println("ERROR");
}

What is the expected output? What do you see instead?

Expected output should be OK because "a" matches pattern "[a]" but output is 
ERROR.

What version of the product are you using? On what operating system?

<groupId>edu.vt.middleware</groupId>
<artifactId>vt-password</artifactId>
<version>3.1.2</version>

java version "1.7.0_25"

Please provide any additional information below.

Fix: RegexRule.java line 54 should be:
if (!m.find()) {

Original issue reported on code.google.com by gwozd...@gmail.com on 17 Feb 2014 at 3:42

GoogleCodeExporter commented 8 years ago 
I just took a look at unit tests and it seems that RegexRule is negative 
validation by design(fails when password matches pattern), not positive as I 
expected (succeeds when password matches pattern). This should be clearly 
stated in documentation. Additionally I would expect to have 2 versions of 
RegexRule class - positive and negative.

Original comment by gwozd...@gmail.com on 17 Feb 2014 at 11:33

GoogleCodeExporter commented 8 years ago 
> I just took a look at unit tests and it seems that RegexRule is negative 
validation by design(fails when password matches pattern)

That's correct. The rule fails for passwords matching the regex.

Original comment by dfis...@gmail.com on 17 Feb 2014 at 4:10

GoogleCodeExporter commented 8 years ago 
It would be a trivial change to add a property to RegexRule to control this 
behavior.
Perhaps RegexRule#succeedOnMatch or something like it.

Original comment by dfis...@gmail.com on 17 Feb 2014 at 4:40

GoogleCodeExporter commented 8 years ago 
RegexRule renamed to IllegalRegexRule.
Added AllowedRegexRule to provide positive matching.
https://github.com/vt-middleware/passay/issues/10

Note that vt-password is in maintenance, and only receiving security patches.

Original comment by dfis...@gmail.com on 10 Oct 2014 at 2:05