From f54add533564894f4e301376f79850089ce4e36c Mon Sep 17 00:00:00 2001
From: jackbrett <musicsnobj@gmail.com>
Date: Thu, 23 Jan 2025 12:39:01 -0600
Subject: [PATCH] add max password length, default 72, configurable via
 ZXCVBN_MAX_LENGTH env var

---
 README.rst                 | 13 +++++++++++++
 tests/l33t_exploit_test.py | 12 ++++++++++++
 tests/zxcvbn_test.py       |  5 ++++-
 zxcvbn/__init__.py         |  8 ++++++++
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 tests/l33t_exploit_test.py

diff --git a/README.rst b/README.rst
index fb3d411..3c3d42c 100644
--- a/README.rst
+++ b/README.rst
@@ -103,6 +103,18 @@ Output:
         }],
     }
 
+To override the default maximum password length of 72 characters, set the
+``ZXCVBN_MAX_LENGTH`` environment variable:
+
+.. code-block:: bash
+
+   export ZXCVBN_MAX_LENGTH=128
+
+.. warning::
+   We strongly advise against setting ``ZXCVBN_MAX_LENGTH`` to a value greater than 72,
+   as it can lead to long processing times and may leave server-side applications open
+   to denial-of-service scenarios.
+
 
 Custom Ranked Dictionaries
 --------------------------
@@ -121,6 +133,7 @@ In order to support more languages or just add password dictionaries of your own
 These lists will be added to the current ones, but you can also overwrite the current ones if you wish.
 The lists you add should be in order of how common the word is used with the most common words appearing first.
 
+
 CLI
 ~~~
 
diff --git a/tests/l33t_exploit_test.py b/tests/l33t_exploit_test.py
new file mode 100644
index 0000000..954a249
--- /dev/null
+++ b/tests/l33t_exploit_test.py
@@ -0,0 +1,12 @@
+import pytest
+from zxcvbn import zxcvbn
+
+# Test ACsploit-generated password targeting zxcvbn's l33t matching algorithm
+# (see https://github.com/GoSimpleLLC/nbvcxz/issues/60)
+def test_l33t_exploit():
+
+    password = "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/"
+
+    # Function should raise ValueError for input exceeding default MAX_LENGTH of 72 chars
+    with pytest.raises(ValueError, match="Password length exceeds 72 characters"):
+        zxcvbn(password, user_inputs=[None])
diff --git a/tests/zxcvbn_test.py b/tests/zxcvbn_test.py
index 6f1bda3..83d4e8c 100644
--- a/tests/zxcvbn_test.py
+++ b/tests/zxcvbn_test.py
@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+import pytest
 from zxcvbn import zxcvbn
 
 
@@ -23,7 +24,9 @@ def test_long_password():
     input_ = None
     password = "weopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioej"
 
-    zxcvbn(password, user_inputs=[input_])
+    # Function should raise ValueError for input exceeding default MAX_LENGTH of 72 chars
+    with pytest.raises(ValueError, match="Password length exceeds 72 characters"):
+        zxcvbn(password, user_inputs=[input_])
 
 
 def test_dictionary_password():
diff --git a/zxcvbn/__init__.py b/zxcvbn/__init__.py
index d820e6b..f291818 100644
--- a/zxcvbn/__init__.py
+++ b/zxcvbn/__init__.py
@@ -1,8 +1,16 @@
+import os
 from datetime import datetime
 
 from . import matching, scoring, time_estimates, feedback
 
+DEFAULT_MAX_LENGTH = 72
+MAX_LENGTH = int(os.environ.get('ZXCVBN_MAX_LENGTH', DEFAULT_MAX_LENGTH))
+
 def zxcvbn(password, user_inputs=None):
+    # Throw error if password exceeds max length
+    if len(password) > MAX_LENGTH:
+        raise ValueError(f"Password length exceeds {MAX_LENGTH} characters.")
+
     try:
         # Python 2 string types
         basestring = (str, unicode)