Make SimpleSymbols safe for directly using in URLs (#1)

tamalsaha · web-flow · commit 2e5b9f2ed910 · 2020-09-28T05:14:08.000-07:00
Signed-off-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/password.go b/password.go
@@ -11,8 +11,11 @@ const (
 	Uppercase     Charset = 1 << iota // 1 << 0 which is 00000001
 	Lowercase                         // 1 << 1 which is 00000010
 	Numbers                           // 1 << 2 which is 00000100
-	Symbols                           // 1 << 3 which is 00001000
-	SimpleSymbols                     // 1 << 4 which is 00001000
+	Unreserved                        // 1 << 3 which is 00001000
+	Reserved                          // 1 << 4 which is 00010000
+	SimpleSymbols                     // 1 << 5 which is 00100000
+	Symbols                           // 1 << 6 which is 01000000
+	Default       = Uppercase | Lowercase | Numbers | SimpleSymbols
 )
 
 var (
@@ -22,14 +25,18 @@ var (
 	len_lowercase      = len(lowercase)
 	numbers            = []byte(`0123456789`)
 	len_numbers        = len(numbers)
+	unreserved         = []byte(`-._~`) // ref: https://perishablepress.com/stop-using-unsafe-characters-in-urls/
+	len_unreserved     = len(unreserved)
+	reserved           = []byte(`!#$&'()*+,/:;=?@[]`)
+	len_reserved       = len(reserved)
+	simple_symbols     = []byte(`!$&'()*+,-.:;=@_~`) // ref: https://github.com/golang/go/blob/release-branch.go1.15/src/net/url/url.go#L1158-L1186 ,  missing: Unreserved | Reserved - #/?[]
+	len_simple_symbols = len(simple_symbols)
 	symbols            = []byte(`!"#$%&'()*+,-./:;<=>?@^[\]_{|}~` + "`")
 	len_symbols        = len(symbols)
-	simple_symbols     = []byte(`!#$%&*+-=?@^_|`)
-	len_simple_symbols = len(simple_symbols)
 )
 
 func Generate(n int) string {
-	return GenerateForCharset(n, Uppercase|Lowercase|Numbers|SimpleSymbols)
+	return GenerateForCharset(n, Default)
 }
 
 func GenerateForCharset(n int, chset Charset) string {
@@ -45,12 +52,18 @@ func GenerateForCharset(n int, chset Charset) string {
 	if chset&Numbers != 0 {
 		count += len_numbers
 	}
-	if chset&Symbols != 0 {
-		count += len_symbols
+	if chset&Unreserved != 0 {
+		count += len_unreserved
+	}
+	if chset&Reserved != 0 {
+		count += len_reserved
 	}
 	if chset&SimpleSymbols != 0 {
 		count += len_simple_symbols
 	}
+	if chset&Symbols != 0 {
+		count += len_symbols
+	}
 	max := big.NewInt(int64(count))
 
 	for i := 0; i < n; i++ {
@@ -84,12 +97,20 @@ func GenerateForCharset(n int, chset Charset) string {
 				idx -= len_numbers
 			}
 		}
-		if chset&Symbols != 0 {
-			if idx < len_symbols {
-				buf[i] = symbols[idx]
+		if chset&Unreserved != 0 {
+			if idx < len_unreserved {
+				buf[i] = unreserved[idx]
 				continue
 			} else {
-				idx -= len_symbols
+				idx -= len_unreserved
+			}
+		}
+		if chset&Reserved != 0 {
+			if idx < len_reserved {
+				buf[i] = reserved[idx]
+				continue
+			} else {
+				idx -= len_reserved
 			}
 		}
 		if chset&SimpleSymbols != 0 {
@@ -100,6 +121,14 @@ func GenerateForCharset(n int, chset Charset) string {
 				idx -= len_simple_symbols
 			}
 		}
+		if chset&Symbols != 0 {
+			if idx < len_symbols {
+				buf[i] = symbols[idx]
+				continue
+			} else {
+				idx -= len_symbols
+			}
+		}
 	}
 	return string(buf)
 }
diff --git a/password_test.go b/password_test.go
@@ -54,10 +54,17 @@ func TestGenerateForCharset2(t *testing.T) {
 			},
 		},
 		{
-			name: "Uppercase | Lowercase | Symbols",
+			name: "Uppercase | Lowercase | Unreserved",
 			args: args{
 				n:     8,
-				chset: Uppercase | Lowercase | Symbols,
+				chset: Uppercase | Lowercase | Unreserved,
+			},
+		},
+		{
+			name: "Uppercase | Lowercase | Reserved",
+			args: args{
+				n:     8,
+				chset: Uppercase | Lowercase | Reserved,
 			},
 		},
 		{
@@ -67,6 +74,13 @@ func TestGenerateForCharset2(t *testing.T) {
 				chset: Uppercase | Lowercase | SimpleSymbols,
 			},
 		},
+		{
+			name: "Uppercase | Lowercase | Symbols",
+			args: args{
+				n:     8,
+				chset: Uppercase | Lowercase | Symbols,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -98,8 +112,13 @@ func uses_charset(str string, chset Charset) bool {
 				continue
 			}
 		}
-		if chset&Symbols != 0 {
-			if contains(symbols, data[i]) {
+		if chset&Unreserved != 0 {
+			if contains(unreserved, data[i]) {
+				continue
+			}
+		}
+		if chset&Reserved != 0 {
+			if contains(reserved, data[i]) {
 				continue
 			}
 		}
@@ -108,6 +127,11 @@ func uses_charset(str string, chset Charset) bool {
 				continue
 			}
 		}
+		if chset&Symbols != 0 {
+			if contains(symbols, data[i]) {
+				continue
+			}
+		}
 		return false
 	}
 	return true
