From d2248d185b4d0b1758445e5ebafb6422f3385284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9on=20van=20der=20Kaap?= Date: Sat, 8 Jun 2019 23:28:07 +0200 Subject: [PATCH] Add extra salt length check for BCrypt If the salt length is 28 characters and the version is 2{a,x,y}, an IndexOutOfBoundsException is thrown. This commit adds an extra check that the salt length should be at least 29 characters long if the version is not equal to "2". Fixes: gh-6907 --- .../org/springframework/security/crypto/bcrypt/BCrypt.java | 4 ++++ .../springframework/security/crypto/bcrypt/BCryptTests.java | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java index bdc4638916..cce8c11c9c 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java +++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java @@ -780,6 +780,10 @@ public class BCrypt { // Extract number of rounds if (salt.charAt(off + 2) > '$') throw new IllegalArgumentException ("Missing salt rounds"); + + if (off == 4 && saltLength < 29) { + throw new IllegalArgumentException("Invalid salt"); + } rounds = Integer.parseInt(salt.substring(off, off + 2)); real_salt = salt.substring(off + 3, off + 25); diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java index 1ffb9babfe..3447502de3 100644 --- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java +++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java @@ -338,6 +338,11 @@ public class BCryptTests { "$2$05$......................bvpG2UfzdyW/S0ny/4YyEZrmczoJfVm"); } + @Test(expected = IllegalArgumentException.class) + public void hashpwFailsWhenSaltIsTooShort() { + BCrypt.hashpw("password", "$2a$10$123456789012345678901"); + } + @Test public void equalsOnStringsIsCorrect() { assertThat(BCrypt.equalsNoEarlyReturn("", "")).isTrue();