Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent instantiation of DelegatingPasswordEncoder if idPrefix contains idSuffix 

Closes gh-10933
This commit is contained in:
Jihoon Cha 2022-03-29 19:28:41 +09:00 committed by Steve Riesenberg
parent 725a57fccc
commit af7f943325
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -119,6 +119,7 @@ import java.util.Map;
* @author Rob Winch
* @author Michael Simons
* @author heowc
* @author Jihoon Cha
* @since 5.0
* @see org.springframework.security.crypto.factory.PasswordEncoderFactories
*/
@ -173,6 +174,9 @@ public class DelegatingPasswordEncoder implements PasswordEncoder {
if (idSuffix == null || idSuffix.isEmpty()) {
throw new IllegalArgumentException("suffix cannot be empty");
}
if (idPrefix.contains(idSuffix)) {
throw new IllegalArgumentException("idPrefix " + idPrefix + " cannot contain idSuffix " + idSuffix);
}
if (!idToPasswordEncoder.containsKey(idForEncode)) {
throw new IllegalArgumentException(

13
crypto/src/test/java/org/springframework/security/crypto/password/DelegatingPasswordEncoderTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -37,6 +37,7 @@ import static org.mockito.Mockito.verifyZeroInteractions;
* @author Rob Winch
* @author Michael Simons
* @author heowc
* @author Jihoon Cha
* @since 5.0
*/
@ExtendWith(MockitoExtension.class)
@ -119,9 +120,9 @@ public class DelegatingPasswordEncoderTests {
@Test
public void constructorWhenIdContainsPrefixThenIllegalArgumentException() {
this.delegates.put('$' + this.bcryptId, this.bcrypt);
this.delegates.put('{' + this.bcryptId, this.bcrypt);
assertThatIllegalArgumentException()
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$"));
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates));
}
@Test
@ -131,6 +132,12 @@ public class DelegatingPasswordEncoderTests {
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "", "$"));
}
@Test
public void constructorWhenPrefixContainsSuffixThenIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$"));
}
@Test
public void setDefaultPasswordEncoderForMatchesWhenNullThenIllegalArgumentException() {
assertThatIllegalArgumentException()