Make secure_compare handle empty strings comparison correctly

Used Rails' secure_compare method inside the definition of secure_compare. This will handle the empty strings comparison and return true when both the parameters are empty strings. Fixes #4441, #4829
2026-01-08 22:37:57 -05:00 · 2018-04-03 08:14:13 +05:30
parent 8054ad55c3
commit 05bbc71446
3 changed files with 10 additions and 8 deletions
--- a/test/devise_test.rb
+++ b/test/devise_test.rb
@@ -86,15 +86,20 @@ class DeviseTest < ActiveSupport::TestCase
    Devise::CONTROLLERS.delete(:kivi)
  end

-  test 'should complain when comparing empty or different sized passes' do
+  test 'Devise.secure_compare fails when comparing different strings or nil' do
    [nil, ""].each do |empty|
      assert_not Devise.secure_compare(empty, "something")
      assert_not Devise.secure_compare("something", empty)
-      assert_not Devise.secure_compare(empty, empty)
    end
+    assert_not Devise.secure_compare(nil, nil)
    assert_not Devise.secure_compare("size_1", "size_four")
  end

+  test 'Devise.secure_compare passes when strings are the same, even two empty strings' do
+    assert Devise.secure_compare("", "")
+    assert Devise.secure_compare("something", "something")
+  end
+
  test 'Devise.email_regexp should match valid email addresses' do
    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua", "test@tt", "test@valid---domain.com"]
    non_valid_emails = ["rex", "test user@example.com", "test_user@example server.com"]