search

vt-middleware / passay

Password policy enforcement for Java.
http://www.passay.org
Other
275 stars 63 forks source link

Add UsernameSubstringRule #143

Closed junsung-cho closed 1 year ago

junsung-cho commented 1 year ago

When the username is username4 and the password is usernameWithPassword, the UsernameRule will return true since it cannot detect a substring of the username.

To address this issue, a new rule called UsernameSubstringRule can be implemented, following a similar approach as the DictionarySubstringRule. The following is an example implementation of this rule in Kotlin:

class UsernameSubstringRule : DictionarySubstringRule() {
    override fun validate(passwordData: PasswordData): RuleResult {
        val minimumSubstringLength = minOf(5, passwordData.username.length)

        dictionary = object : Dictionary {
            override fun search(word: String): Boolean {
                if (word.length < minimumSubstringLength) {
                    return false
                }
                return passwordData.username.lowercase().contains(word.lowercase())
            }

            override fun size(): Long {
                return 1
            }
        }
        return super.validate(passwordData)
    }
}

Please note that I did not consider efficiency or any other factors. Kindly confirm if this approach is acceptable before I proceed to write the code in Java and submit a merge request.

dfish3r commented 1 year ago

Take a look at MatchBehavior. You likely want to add a Substring implementation.

dfish3r commented 1 year ago

No response from reporter. Feel free to reopen if you have further questions.