`isCuid` incorrectly validates non-CUID strings in version `2.2.2`

paralleldrive / cuid2

Next generation guids. Secure, collision-resistant ids optimized for horizontal scaling and performance.

MIT License

2.68k stars 54 forks source link

`isCuid` incorrectly validates non-CUID strings in version `2.2.2` #79

Closed kova1max closed 1 month ago

kova1max commented 2 months ago

I encountered a problem with the isCuid function in version 2.2.2. Specifically, the function returns true for non-CUID strings.

const cuid = require('cuid');

console.log(cuid.isCuid("42")); // true

Environment:

Node.js version: 22.2.0
package version: 2.2.2

kova1max commented 2 months ago

I discovered that the isCuid function has a minLength: 2 constraint and a second argument, options, which includes both minLength and maxLength parameters. However, the options argument is missing from the type definitions in the index.d.ts file.

The type definitions should include options with minLength and maxLength as properties to accurately represent the function's behaviour.

kova1max commented 2 months ago

Also, a question: Can a CUID be of length 2? 🤔

nksfrank commented 2 months ago

I'm also having an issue with validating strings as cuid2.

isCuid("yi7rqj1trke") // true <- this is the first part of a generated cuid "yi7rqj1trke65guy7oj3imeu"
isCuid("aaaaDLL") // true

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

ericelliott commented 1 month ago

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

We can perhaps improve isCuid, but because Cuid2 is a cryptographically hashed random string, and not an object instance with properties you can check, no, there is no 100% reliable way to reject strings that were NOT generated by Cuid2.

kova1max commented 1 month ago

@ericelliott – npm version is still 2.2.2