Add extra salt length check for BCrypt

If the salt length is 28 characters and the version is 2{a,x,y}, an IndexOutOfBoundsException is thrown. This commit adds an extra check that the salt length should be at least 29 characters long if the version is not equal to "2". Fixes: gh-6907
7 years ago · d2248d185b
2 changed files with 9 additions and 0 deletions
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@ -780,6 +780,10 @@ public class BCrypt {
				@@ -780,6 +780,10 @@ public class BCrypt {
 		// Extract number of rounds
 		if (salt.charAt(off + 2) > '$')
 			throw new IllegalArgumentException ("Missing salt rounds");
+
+		if (off == 4 && saltLength < 29) {
+			throw new IllegalArgumentException("Invalid salt");
+		}
 		rounds = Integer.parseInt(salt.substring(off, off + 2));

 		real_salt = salt.substring(off + 3, off + 25);
--- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
@ -338,6 +338,11 @@ public class BCryptTests {
				@@ -338,6 +338,11 @@ public class BCryptTests {
 				"$2$05$......................bvpG2UfzdyW/S0ny/4YyEZrmczoJfVm");
 	}

+	@Test(expected = IllegalArgumentException.class)
+	public void hashpwFailsWhenSaltIsTooShort() {
+		BCrypt.hashpw("password", "$2a$10$123456789012345678901");
+	}
+
 	@Test
 	public void equalsOnStringsIsCorrect() {
 		assertThat(BCrypt.equalsNoEarlyReturn("", "")).isTrue();