Skip to content

isBase64: reject strings whose length is 1 mod 4 when padding is off#2816

Open
HrachShah wants to merge 1 commit into
validatorjs:masterfrom
HrachShah:fix/isbase64-padded-length-multiple-of-4
Open

isBase64: reject strings whose length is 1 mod 4 when padding is off#2816
HrachShah wants to merge 1 commit into
validatorjs:masterfrom
HrachShah:fix/isbase64-padded-length-multiple-of-4

Conversation

@HrachShah

Copy link
Copy Markdown

Bug: With padding: false, isBase64() accepted any string of valid base64 characters regardless of length, including impossible ones like 'A' (1 char), 'AAAAA' (5 chars), or 'AAAAAAAAA' (9 chars).

Why: A base64 string's length is always 0, 2, 3, 4, 6, 7, 8, 10, 11, 12, 14, ..., i.e. (length % 4) in {0, 2, 3}. A length of the form 4k+1 cannot be produced by any base64 encoding of any byte string. The padding-enabled path already enforced length % 4 == 0; the padding-disabled path was missing the analogous check.

Fix: After the character-class regex matches, also require length % 4 != 1 when padding is off.

Tests: New it() with both standard and urlSafe variants asserts that 1-mod-4 strings are rejected and 0/2/3-mod-4 strings (taken from real base64 encodings) are still accepted. Full suite: 319 passing (was 318).

…(4k+1 lengths cannot be produced by any base64 encoding of any byte string, so isBase64 used to spuriously accept 'A', 'AAAAA', etc. as valid when padding was disabled)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant