root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Enforce BCrypt password length

This commit is contained in:
Joe Grandja 2025-02-28 14:02:15 -05:00
parent 36ea1b11a7
commit 46f0dc6dfc
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
View File

@ -611,6 +611,9 @@ public class BCrypt {
int rounds, off; int rounds, off;
StringBuilder rs = new StringBuilder(); StringBuilder rs = new StringBuilder();
if (passwordb.length > 72) {
throw new IllegalArgumentException("password cannot be more than 72 bytes");
}
if (salt == null) { if (salt == null) {
throw new IllegalArgumentException("salt cannot be null"); throw new IllegalArgumentException("salt cannot be null");
} }

10
crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
View File

@ -222,4 +222,14 @@ public class BCryptPasswordEncoderTests {
assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse(); assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse();
} }
@Test
public void enforcePasswordLength() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";
assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue();
String password73chars = password72chars.concat("a");
assertThatIllegalArgumentException()
.isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars)));
}
} }