Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent instantiation of DelegatingPasswordEncoder if idPrefix contains idSuffix 

Closes gh-10933
This commit is contained in:
Jihoon Cha 2022-03-29 19:28:41 +09:00 committed by Steve Riesenberg
parent c719a8e4d4
commit da606627b6
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java
View File

@ -119,6 +119,7 @@ import java.util.Map;
* @author Rob Winch * @author Rob Winch
* @author Michael Simons * @author Michael Simons
* @author heowc * @author heowc
* @author Jihoon Cha
* @since 5.0 * @since 5.0
* @see org.springframework.security.crypto.factory.PasswordEncoderFactories * @see org.springframework.security.crypto.factory.PasswordEncoderFactories
*/ */
@ -173,6 +174,9 @@ public class DelegatingPasswordEncoder implements PasswordEncoder {
if (idSuffix == null || idSuffix.isEmpty()) { if (idSuffix == null || idSuffix.isEmpty()) {
throw new IllegalArgumentException("suffix cannot be empty"); throw new IllegalArgumentException("suffix cannot be empty");
} }
if (idPrefix.contains(idSuffix)) {
throw new IllegalArgumentException("idPrefix " + idPrefix + " cannot contain idSuffix " + idSuffix);
}
if (!idToPasswordEncoder.containsKey(idForEncode)) { if (!idToPasswordEncoder.containsKey(idForEncode)) {
throw new IllegalArgumentException( throw new IllegalArgumentException(

11
crypto/src/test/java/org/springframework/security/crypto/password/DelegatingPasswordEncoderTests.java
View File

@ -37,6 +37,7 @@ import static org.mockito.Mockito.verifyZeroInteractions;
* @author Rob Winch * @author Rob Winch
* @author Michael Simons * @author Michael Simons
* @author heowc * @author heowc
* @author Jihoon Cha
* @since 5.0 * @since 5.0
*/ */
@ExtendWith(MockitoExtension.class) @ExtendWith(MockitoExtension.class)
@ -119,9 +120,9 @@ public class DelegatingPasswordEncoderTests {
@Test @Test
public void constructorWhenIdContainsPrefixThenIllegalArgumentException() { public void constructorWhenIdContainsPrefixThenIllegalArgumentException() {
this.delegates.put('$' + this.bcryptId, this.bcrypt); this.delegates.put('{' + this.bcryptId, this.bcrypt);
assertThatIllegalArgumentException() assertThatIllegalArgumentException()
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$")); .isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates));
} }
@Test @Test
@ -131,6 +132,12 @@ public class DelegatingPasswordEncoderTests {
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "", "$")); .isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "", "$"));
} }
@Test
public void constructorWhenPrefixContainsSuffixThenIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$"));
}
@Test @Test
public void setDefaultPasswordEncoderForMatchesWhenNullThenIllegalArgumentException() { public void setDefaultPasswordEncoderForMatchesWhenNullThenIllegalArgumentException() {
assertThatIllegalArgumentException() assertThatIllegalArgumentException()