Merge pull request #425 from arif-rh/fix-nothingPersonalValidator

MGatner · web-flow · commit c794d9536060 · 2022-09-09T05:30:43.000-04:00
diff --git a/src/Authentication/Passwords/NothingPersonalValidator.php b/src/Authentication/Passwords/NothingPersonalValidator.php
@@ -114,12 +114,12 @@ protected function isNotPersonal(string $password, ?User $user): bool
             $haystacks = $this->strip_explode($password);
 
             foreach ($haystacks as $haystack) {
-                if (empty($haystack) || in_array($haystack, $trivial, true)) {
-                    continue;  //ignore trivial words
+                if (empty($haystack) || in_array($haystack, $trivial, true) || mb_strlen($haystack, 'UTF-8') < 3) {
+                    continue;  // ignore trivial words
                 }
 
                 foreach ($needles as $needle) {
-                    if (empty($needle) || in_array($needle, $trivial, true)) {
+                    if (empty($needle) || in_array($needle, $trivial, true) || mb_strlen($needle, 'UTF-8') < 3) {
                         continue;
                     }
 
diff --git a/tests/Unit/NothingPersonalValidatorTest.php b/tests/Unit/NothingPersonalValidatorTest.php
@@ -119,6 +119,34 @@ public function testTrueWhenNoUsername(): void
         $this->assertTrue($result->isOK());
     }
 
+    public function testTrueForAllowedTooSmallMatch(): void
+    {
+        $user = new User([
+            'email'    => 'xxx@example.com',
+            'username' => 'john doe',
+        ]);
+
+        $password = 'xx-test@123';
+
+        $result = $this->validator->check($password, $user);
+
+        $this->assertTrue($result->isOK());
+    }
+
+    public function testFalseForSensibleMatch(): void
+    {
+        $user = new User([
+            'email'    => 'xxx@example.com',
+            'username' => 'john doe',
+        ]);
+
+        $password = 'xxx-test@123';
+
+        $result = $this->validator->check($password, $user);
+
+        $this->assertFalse($result->isOK());
+    }
+
     /**
      * The dataProvider is a list of passwords to be tested.
      * Some of them clearly contain elements of the username.

Original file line number	Diff line number	Diff line change
`@@ -114,12 +114,12 @@ protected function isNotPersonal(string $password, ?User $user): bool`
`114`	`114`	`$haystacks = $this->strip_explode($password);`
`115`	`115`
`116`	`116`	`foreach ($haystacks as $haystack) {`
`117`		`- if (empty($haystack) \|\| in_array($haystack, $trivial, true)) {`
`118`		`- continue; //ignore trivial words`
	`117`	`+ if (empty($haystack) \|\| in_array($haystack, $trivial, true) \|\| mb_strlen($haystack, 'UTF-8') < 3) {`
	`118`	`+ continue; // ignore trivial words`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`foreach ($needles as $needle) {`
`122`		`- if (empty($needle) \|\| in_array($needle, $trivial, true)) {`
	`122`	`+ if (empty($needle) \|\| in_array($needle, $trivial, true) \|\| mb_strlen($needle, 'UTF-8') < 3) {`
`123`	`123`	`continue;`
`124`	`124`	`}`
`125`	`125`