`isCuid` incorrectly validates non-CUID strings in version `2.2.2`

paralleldrive / cuid2

Next generation guids. Secure, collision-resistant ids optimized for horizontal scaling and performance.

MIT License

2.6k stars 53 forks source link

`isCuid` incorrectly validates non-CUID strings in version `2.2.2` #79

Open kova1max opened 3 weeks ago

kova1max commented 3 weeks ago

I encountered a problem with the isCuid function in version 2.2.2. Specifically, the function returns true for non-CUID strings.

const cuid = require('cuid');

console.log(cuid.isCuid("42")); // true

Environment:

Node.js version: 22.2.0
package version: 2.2.2

kova1max commented 3 weeks ago

I discovered that the isCuid function has a minLength: 2 constraint and a second argument, options, which includes both minLength and maxLength parameters. However, the options argument is missing from the type definitions in the index.d.ts file.

The type definitions should include options with minLength and maxLength as properties to accurately represent the function's behaviour.

kova1max commented 3 weeks ago

Also, a question: Can a CUID be of length 2? 🤔

nksfrank commented 2 weeks ago

I'm also having an issue with validating strings as cuid2.

isCuid("yi7rqj1trke") // true <- this is the first part of a generated cuid "yi7rqj1trke65guy7oj3imeu"
isCuid("aaaaDLL") // true

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

ericelliott commented 10 hours ago

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

We can perhaps improve isCuid, but because Cuid2 is a cryptographically hashed random string, and not an object instance with properties you can check, no, there is no 100% reliable way to reject strings that were NOT generated by Cuid2.