StringUtilities.union() method is broken, weakens GenerateStrongPassword #344
Description
What steps will reproduce the problem?
1. Write the following java code
char [] first = {'1','2'};
char [] second = {'3','4'};
System.out.println(StringUtilities.union(first,second));
2. Run to get the output
What is the expected output? What do you see instead?
Expect to see: 1, 2, 3, 4
What I see intead: 112234 (One of the char arrays is repeated)
The StringUtils.union method is also used in the generateStrongPassword
functionality and this issue weakens the passwords generated
What version of the product are you using? On what operating system?
ESAPI 2.1.0
Does this issue affect only a specified browser or set of browsers?
Not applicable
Please provide any additional information below.
The issue comes because the StringUtils.union method is wrong.
Correct implementation of this function can be (instead of the current method):
public static char[] union(char[]... list) {
StringBuilder sb = new StringBuilder();
for (char[] characters : list) {
for (int i = 0; i < characters.length; i++) {
if (!contains(sb, characters[i]))
sb.append(characters[i]);
}
}
char[] toReturn = new char[sb.length()];
sb.getChars(0, sb.length(), toReturn, 0);
Arrays.sort(toReturn);
return toReturn;
}
Original issue reported on code.google.com by siju.mat...@gmail.com on 23 Mar 2015 at 2:46