This library is unsafe and can crash on untrusted input
Opened this issue · 0 comments
The following code will crash.
let hashOfMaxInt64 = "jvNx4BjM5KYjv" // untrusted input
let hashids = Hashids(salt: "this is my salt")
let values = hashids.decode64(hashOfMaxInt64) // 💥 Crash
A simple hash of Int64.max
will crash when attempting to decode because the double overflows the integer during decoding. Personally, I think the Double
-> Int
constructor should return an optional since it can fail as this ends up being a foot-gun in an otherwise safe language.
Because of how hashids work, it is impossible to know ahead of time if a given input is safe without first trying to decode it. If you run this library on a web server on untrusted input, you are at risk of a crash and should patch immediately.
I have opened a PR to address this, but considering this repo has been inactive, I don't expect it to be merged. I will leave my fork with the fix up for others to use.