Página inicial Explorar Ajuda
Registrar Entrar
github
/
spring-security
mirror de https://github.com/spring-projects/spring-security
2
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

Enforce BCrypt password length

Joe Grandja 5 meses atrás
pai
36ea1b11a7
commit
46f0dc6dfc
2 arquivos alterados com 13 adições e 0 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 3 0
      crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
  2. 10 0
      crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java

+ 3 - 0
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
Ver arquivo 

@@ -611,6 +611,9 @@ public class BCrypt {
 
 		int rounds, off;
 
 		StringBuilder rs = new StringBuilder();
 
 
+		if (passwordb.length > 72) {
 
+			throw new IllegalArgumentException("password cannot be more than 72 bytes");
 
+		}
 
 		if (salt == null) {
 
 			throw new IllegalArgumentException("salt cannot be null");
 
 		}

+ 10 - 0
crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
Ver arquivo 

@@ -222,4 +222,14 @@ public class BCryptPasswordEncoderTests {
 
 		assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse();
 
 	}
 
 
+	@Test
 
+	public void enforcePasswordLength() {
 
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
 
+		String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";
 
+		assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue();
 
+		String password73chars = password72chars.concat("a");
 
+		assertThatIllegalArgumentException()
 
+			.isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars)));
 
+	}
 
+
 
 }