Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BCryptPasswordEncoder handle null rawPassword #7981

Closed
wants to merge 4 commits into from
Closed

BCryptPasswordEncoder handle null rawPassword #7981

wants to merge 4 commits into from

Conversation

ge1mina023
Copy link

Detecting the NullPointerException of rawPassword

I believe that the method of BCryptPasswordEncoder's matches() should have a way to detect whether the rawPassword is null.Because Spring Security will delete the password of authentication stored in the SecurityContext after I log in, so my other authenticate request will get a NullPointerException from BCryptPasswordEncoder's matches().There should have a way to detect the NullPointerException of rawPassword

@ge1mina023
detect whether rawPassword is empty
b454ebd
@ge1mina023
Detecting NullPointerException from rawPassword
e84016a 
I believe that the method of BCryptPasswordEncoder's matches() should have
a way to detect whether the rawPassword is null.
@ge1mina023
use lf
df9a3b3
@ge1mina023
Detecting the NullPointerException of rawPassword
e6bc8ed 
I believe that the method of BCryptPasswordEncoder's matches() should have       a way to detect whether the rawPassword is null.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 13, 2020
jzheaux
jzheaux requested changes Mar 26, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ge1mina023! I've left some feedback inline.

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
@@ -119,6 +119,11 @@ public boolean matches(CharSequence rawPassword, String encodedPassword) {
return false;
}

if(rawPassword.toString() == null || rawPassword.toString.length() == 0){
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have this match the earlier check:

Suggested change
if(rawPassword.toString() == null || rawPassword.toString.length() == 0){
if (rawPassword == null || rawPassword.length() == 0) {

Also, for readability, we should probably place this at the beginning of the method, so that the method parameters are testing in the same order that they are defined.

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
logger.warn("Empty raw password");
return false;
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you also add a couple of tests to BCryptPasswordEncoderTests? I think that doesntMatchNullEncodedValue and doesntMatchEmptyEncodedValue are probably good examples to follow.

@jzheaux
Copy link
Contributor

jzheaux commented Mar 26, 2020

@ge1mina023 in addition to the feedback I left above, would you please compile the code locally with

./gradle check

and squash your commits?

@rwinch rwinch changed the title Fix warn BCryptPasswordEncoder handle null rawPassword Mar 27, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Apr 10, 2020

Closed in favor of #8330

@jzheaux jzheaux closed this Apr 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ge1mina023 @jzheaux @spring-projects-issues