drupal-hash - npm Package Compare versions

Comparing version 1.0.3 to 1.0.4

index.js

@@ -156,3 +156,14 @@ var crypto = require('crypto');
   }
-  return (hashed && stored_hash == hashed);
+
+  // Use a constant time comparison to prevent timing attacks.
+  if (hashed) {
+    var mismatch = hashed.length === stored_hash.length ? 0 : 1;
+    for (var i = 0, l = hashed.length; i < l; ++i) {
+      mismatch |= (hashed.charCodeAt(i) ^ stored_hash.charCodeAt(i));
+    }
+    return mismatch === 0;
+  }
+  else {
+    return false;
+  }
 }
@@ -159,0 +170,0 @@

package.json

 {
   "name": "drupal-hash",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "JavaScript implementation of the hashing algorithm used in Drupal",
@@ -5,0 +5,0 @@ "main": "index.js",

test/test.js

@@ -78,3 +78,21 @@ var expect = require('chai').expect;
   });
+
+  describe('When the password hash is longer than the calculated hash', function() {
+    var longPasswordHash = passwordHash + 'abcd';
+    var result = drupalHash.checkPassword(password, longPasswordHash);
+
+    it('Then the result should be false', function() {
+      expect(result).to.be.false;
+    });
+  });
+
+  describe('When the password hash is shorter than the calculated hash', function() {
+    var shortPasswordHash = passwordHash.substr(0, passwordHash.length - 3);
+    var result = drupalHash.checkPassword(password, shortPasswordHash);
+
+    it('Then the result should be false', function() {
+      expect(result).to.be.false;
+    });
+  });
 });
 

Fixed alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

10143

increased by10.25%

Lines of code

237

increased by11.27%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes