From 564d5644c993f622db8bc22737471c57dd08d166 Mon Sep 17 00:00:00 2001 From: Alan Czajkowski Date: Sat, 4 Apr 2020 12:46:11 -0400 Subject: [PATCH] BCryptPasswordEncoder rawPassword cannot be null Closes gh-8317 --- .../crypto/bcrypt/BCryptPasswordEncoder.java | 8 ++++++++ .../crypto/bcrypt/BCryptPasswordEncoderTests.java | 12 ++++++++++++ 2 files changed, 20 insertions(+) diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java index c59246320d6..dd787a9ea42 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java +++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java @@ -99,6 +99,10 @@ public BCryptPasswordEncoder(BCryptVersion version, int strength, SecureRandom r } public String encode(CharSequence rawPassword) { + if (rawPassword == null) { + throw new IllegalArgumentException("rawPassword cannot be null"); + } + String salt; if (random != null) { salt = BCrypt.gensalt(version.getVersion(), strength, random); @@ -109,6 +113,10 @@ public String encode(CharSequence rawPassword) { } public boolean matches(CharSequence rawPassword, String encodedPassword) { + if (rawPassword == null) { + throw new IllegalArgumentException("rawPassword cannot be null"); + } + if (encodedPassword == null || encodedPassword.length() == 0) { logger.warn("Empty encoded password"); return false; diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java index 28ac723bce6..1ae357f0193 100644 --- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java +++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java @@ -200,4 +200,16 @@ public void upgradeFromNonBCrypt() { encoder.upgradeEncoding("not-a-bcrypt-password"); } + @Test(expected = IllegalArgumentException.class) + public void encodeNullRawPassword() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + encoder.encode(null); + } + + @Test(expected = IllegalArgumentException.class) + public void matchNullRawPassword() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + encoder.matches(null, "does-not-matter"); + } + }