From 532d0bef14f58330af052d9fa472fff6351c9136 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 4 Nov 2025 14:03:50 -0700
Subject: [PATCH] Add Test to Confirm 72-byte BCrypt Password Limit

Closes gh-18133
---
 .../bcrypt/BCryptPasswordEncoderTests.java    | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
index b2732ff592..70c8a36572 100644
--- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
@@ -16,12 +16,14 @@
 
 package org.springframework.security.crypto.bcrypt;
 
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 
 import org.junit.jupiter.api.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 
 /**
  * @author Dave Syer
@@ -253,4 +255,23 @@ public class BCryptPasswordEncoderTests {
 		assertThat(encoder.matches(password73chars, encodedPassword73chars)).isTrue();
 	}
 
+	/**
+	 * Fixes gh-18133
+	 * @author StringManolo
+	 */
+	@Test
+	void passwordLargerThan72BytesShouldThrowIllegalArgumentException() {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		String singleByteChars = "a".repeat(68);
+		String password72Bytes = singleByteChars + "😀";
+		assertThat(password72Bytes.length()).isEqualTo(70);
+		assertThat(password72Bytes.getBytes(StandardCharsets.UTF_8).length).isEqualTo(72);
+		assertThatNoException().isThrownBy(() -> encoder.encode(password72Bytes));
+		String singleByteCharsTooLong = "a".repeat(69);
+		String password73Bytes = singleByteCharsTooLong + "😀";
+		assertThat(password73Bytes.getBytes(StandardCharsets.UTF_8).length).isEqualTo(73);
+		assertThatIllegalArgumentException().isThrownBy(() -> encoder.encode(password73Bytes))
+			.withMessageContaining("password cannot be more than 72 bytes");
+	}
+
 }