I am using slugId which is a node.js module for converting from UUID to base64 URL friendly text and vice-versa. (see: https://github.com/taskcluster/slugid) As one of our QAs was executing tests he found the following which I am unable to explain:
The slugs: aOSL2RT_Rhy-xNuoe3j7ag and aOSL2RT_Rhy-xNuoe3j7ah generate the same UUID: d2369f6c-1eea-4518-a641-33d6c2dc0493.
This is also applicable to more slugs. Example:
0jafbB7qRRimQTPWwtwEkw, 0jafbB7qRRimQTPWwtwEkx. (Both of them translate to UUID: d2369f6c-1eea-4518-a641-33d6c2dc0493)
The decode and decode functions of slugId look sound but I am unable to explain the above behaviour.
A "slugId" is 22 characters. Each character is base64, i.e. representing 6 bits, which means they have a total of 22×6=132 bits. However, UUIDs have only 128 bits; the last 4 bits of the slugId are discarded in the conversion, so there are 16 slugId values that map to each UUID value.
This means you need to sanitize all slugId values on input, e.g. by rejecting any value with one (or more) of those last 4 bits set. Presumably you are already validating them in other ways (e.g. too long, too short, invalid chars, etc.) so this is just one more minor test to be added to the list.