peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

StringUtilities.union() method is broken, weakens GenerateStrongPassword #344

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Write the following java code
    char [] first = {'1','2'};
    char [] second = {'3','4'};
    System.out.println(StringUtilities.union(first,second));
2. Run to get the output

What is the expected output? What do you see instead?
Expect to see: 1, 2, 3, 4
What I see intead: 112234 (One of the char arrays is repeated)

The StringUtils.union method is also used in the generateStrongPassword 
functionality and this issue weakens the passwords generated

What version of the product are you using? On what operating system?
ESAPI 2.1.0

Does this issue affect only a specified browser or set of browsers?
Not applicable

Please provide any additional information below.

The issue comes because the StringUtils.union method is wrong.

Correct implementation of this function can be (instead of the current method):

   public static char[] union(char[]... list) {
            StringBuilder sb = new StringBuilder();

            for (char[] characters : list) {
                for (int i = 0; i < characters.length; i++) {
                    if (!contains(sb, characters[i]))
                        sb.append(characters[i]);
                }
            }

            char[] toReturn = new char[sb.length()];
            sb.getChars(0, sb.length(), toReturn, 0);
            Arrays.sort(toReturn);
            return toReturn;
        }

Original issue reported on code.google.com by siju.mat...@gmail.com on 23 Mar 2015 at 2:46