From c52a36a9ea2acea5f22b02c8c3dc794979cea7f5 Mon Sep 17 00:00:00 2001
From: Alan Czajkowski <alan@czajkowski.ca>
Date: Sat, 4 Apr 2020 12:46:11 -0400
Subject: [PATCH] BCryptPasswordEncoder rawPassword cannot be null

Closes gh-8317
---
 .../crypto/bcrypt/BCryptPasswordEncoder.java         |  8 ++++++++
 .../crypto/bcrypt/BCryptPasswordEncoderTests.java    | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
index c59246320d6..dd787a9ea42 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
@@ -99,6 +99,10 @@ public BCryptPasswordEncoder(BCryptVersion version, int strength, SecureRandom r
 	}
 
 	public String encode(CharSequence rawPassword) {
+		if (rawPassword == null) {
+			throw new IllegalArgumentException("rawPassword cannot be null");
+		}
+
 		String salt;
 		if (random != null) {
 			salt = BCrypt.gensalt(version.getVersion(), strength, random);
@@ -109,6 +113,10 @@ public String encode(CharSequence rawPassword) {
 	}
 
 	public boolean matches(CharSequence rawPassword, String encodedPassword) {
+		if (rawPassword == null) {
+			throw new IllegalArgumentException("rawPassword cannot be null");
+		}
+
 		if (encodedPassword == null || encodedPassword.length() == 0) {
 			logger.warn("Empty encoded password");
 			return false;
diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
index 28ac723bce6..1ae357f0193 100644
--- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
@@ -200,4 +200,16 @@ public void upgradeFromNonBCrypt() {
 		encoder.upgradeEncoding("not-a-bcrypt-password");
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void encodeNullRawPassword() {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		encoder.encode(null);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void matchNullRawPassword() {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		encoder.matches(null, "does-not-matter");
+	}
+
 }