Fixes #8 - Do not apply normalization rules to passwords without lett…

…ers in them Fixes #7 - Normalization rules in .NET are not converting 5->s
lithnet · Mar 7, 2019 · a282b0b · a282b0b
1 parent db17863
commit a282b0b
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 4 deletions.
diff --git a/src/ManagedUnitTests/V3StoreTests.cs b/src/ManagedUnitTests/V3StoreTests.cs
@@ -112,7 +112,7 @@ public void BuildUsablev3Store()
         public void TestBadPassword()
         {
             V3Store store = new V3Store(@"D:\pwnedpwds\store");
-            Assert.IsTrue(store.IsInStore("monash!!!!", StoreType.Word));
+            Assert.IsTrue(store.IsInStore("password!!!!", StoreType.Word));
         }
 
         [TestMethod]

diff --git a/src/NativeUnitTests/StringNormalizationTests.cpp b/src/NativeUnitTests/StringNormalizationTests.cpp
@@ -44,6 +44,11 @@ namespace NativeUnitTests
 			TestString password(L"Password345!");
 			Assert::AreEqual(L"password", NormalizePassword(password));
 		}
-	};
 
+		TEST_METHOD(NormalizedStringNoLetters)
+		{
+			TestString password(L"123456789");
+			Assert::AreEqual(L"123456789", NormalizePassword(password));
+		}
+	};
 }
diff --git a/src/PasswordFilter/stringnormalization.cpp b/src/PasswordFilter/stringnormalization.cpp
@@ -35,6 +35,11 @@ SecureArrayT<WCHAR> NormalizePassword(const SecureArrayT<WCHAR> &password)
 		return SecureArrayT<WCHAR>(0);
 	}
 
+	if (!HasLetter(password))
+	{
+		return password;
+	}
+
 	SecureArrayT<WCHAR> newPassword = ToLowerInvariant(password);
 
 	RemoveWhiteSpace(newPassword);
@@ -45,6 +50,19 @@ SecureArrayT<WCHAR> NormalizePassword(const SecureArrayT<WCHAR> &password)
 	return newPassword;
 }
 
+bool HasLetter(const SecureArrayT<WCHAR> &s)
+{
+	for (wchar_t* c = s.get(); *c; ++c)
+	{
+		if (std::iswalpha(*c))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
 void RemoveWhiteSpace(SecureArrayT<WCHAR> &s)
 {
 	LPWSTR cpy = s.get();

diff --git a/src/PasswordFilter/stringnormalization.h b/src/PasswordFilter/stringnormalization.h
@@ -14,3 +14,5 @@ void RemoveWhiteSpace(SecureArrayT<WCHAR> &s);
 void RemoveChars(SecureArrayT<WCHAR> &s, const WCHAR *charsToRemove);
 
 void ReplaceChars(SecureArrayT<WCHAR> &s, const WCHAR *charPairsToReplace);
+
+bool HasLetter(const SecureArrayT<WCHAR> &s);
diff --git a/src/PasswordProtection/StringNormalizer.cs b/src/PasswordProtection/StringNormalizer.cs
@@ -17,7 +17,13 @@ public static class StringNormalizer
 
         public static string Normalize(string password)
         {
+            if (!password.Any(char.IsLetter))
+            {
+                return password;
+            }
+
             password = password.ToLowerInvariant();
+
             password = new string(password.Where(t => !char.IsWhiteSpace(t)).ToArray());
             password = password.TrimEnd(StringNormalizer.CharsToTrim);
             password = password.TrimStart(StringNormalizer.CharsToTrim);
@@ -26,11 +32,11 @@ public static string Normalize(string password)
                 .Replace(".", "")
                 .Replace("+", "")
                 .Replace('$', 's')
+                .Replace('5', 's')
                 .Replace('0', 'o')
                 .Replace('4', 'a')
                 .Replace('3', 'e')
                 .Replace('@', 'a')
-                .Replace('4', 'a')
                 .Replace('^', 'a')
                 .Replace('(', 'c')
                 .Replace('6', 'g')
@@ -41,4 +47,4 @@ public static string Normalize(string password)
                 .Replace('!', 'i');
         }
     }
-}
+}