fix(core): reject non-ASCII SymbolCharset::Custom at generate time

Avoids from_utf8 panic when Custom contains multi-byte UTF-8 chars whose individual bytes are independently sampled into the output. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 15:04:13 -04:00
parent db3f2e15f2
commit 61d6fb723d
1 changed files with 19 additions and 1 deletions
--- a/crates/idfoto-core/src/generators.rs
+++ b/crates/idfoto-core/src/generators.rs
@@ -41,7 +41,14 @@ fn random_password(
        let symbols: &[u8] = match symbol_charset {
            SymbolCharset::SafeOnly => SAFE_SYMBOLS,
            SymbolCharset::Extended => EXTENDED_SYMBOLS,
-            SymbolCharset::Custom(s) => s.as_bytes(),
+            SymbolCharset::Custom(s) => {
+                if !s.is_ascii() {
+                    return Err(IdfotoError::Format(
+                        "SymbolCharset::Custom must be ASCII-only".into(),
+                    ));
+                }
+                s.as_bytes()
+            }
        };
        charset.extend_from_slice(symbols);
    }
@@ -110,4 +117,15 @@ mod tests {
                    "safe charset must not include {c}");
        }
    }
+
+    #[test]
+    fn custom_charset_rejects_non_ascii() {
+        let req = GeneratorRequest::Random {
+            length: 8,
+            classes: CharClasses { lower: false, upper: false, digits: false, symbols: true },
+            symbol_charset: SymbolCharset::Custom("ñé".into()),
+        };
+        let err = generate_password(&req);
+        assert!(err.is_err(), "non-ASCII custom charset must be rejected");
+    }
 }