password_exposed icon indicating copy to clipboard operation
password_exposed copied to clipboard

Published 20 hours ago • verified publisher icon DivineOmega

Run $lines through array_filter() to remove empty strings that can cause unhandled exceptions

Open jamieb-tillo opened this issue 1 year ago • 2 comments

In some cases, the response body pulled from the HaveIBeenPwned API can end with a blank space after the final new line characters. When pulled into the $lines array, this creates an index that consists of just a blank string.

When attempting to call list() on the result of calling explode(':', $line), an Exception is thrown.

This Exception is not caught in this package, or within Laravel NIST which uses it. The stack trace of this Exception exposes the User's password to any logs that record it.

Passing the $lines array through an array_filter() removes any blank indexes and prevents this error.

jamieb-tillo avatar Jul 13 '22 15:07 jamieb-tillo

Currently my users cannot register or edit profile if exposed password is entered - this PR is much needed. Thanks!

marensas avatar Jul 14 '22 11:07 marensas

Pull Request Test Coverage Report for Build 176

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.0%) to 86.735%
Totals Coverage Status
Change from base Build 173: -0.0%
Covered Lines: 85
Relevant Lines: 98
💛 - Coveralls

coveralls avatar Jul 23 '22 02:07 coveralls