Prevent instantiation of DelegatingPasswordEncoder if idPrefix contains idSuffix

ghoonch4 · ghoonch4 · commit 7d2186300edb · 2022-04-01T16:44:43.000+09:00
Closes gh-10933
diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java
@@ -119,6 +119,7 @@
  * @author Rob Winch
  * @author Michael Simons
  * @author heowc
+ * @author Jihoon Cha
  * @since 5.0
  * @see org.springframework.security.crypto.factory.PasswordEncoderFactories
  */
@@ -173,6 +174,9 @@ public DelegatingPasswordEncoder(String idForEncode, Map<String, PasswordEncoder
 		if (idSuffix == null || idSuffix.isEmpty()) {
 			throw new IllegalArgumentException("suffix cannot be empty");
 		}
+		if (idPrefix.contains(idSuffix)) {
+			throw new IllegalArgumentException("idPrefix " + idPrefix + " cannot contain idSuffix " + idSuffix);
+		}
 
 		if (!idToPasswordEncoder.containsKey(idForEncode)) {
 			throw new IllegalArgumentException(
diff --git a/crypto/src/test/java/org/springframework/security/crypto/password/DelegatingPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/password/DelegatingPasswordEncoderTests.java
@@ -37,6 +37,7 @@
  * @author Rob Winch
  * @author Michael Simons
  * @author heowc
+ * @author Jihoon Cha
  * @since 5.0
  */
 @ExtendWith(MockitoExtension.class)
@@ -119,9 +120,9 @@ public void constructorWhenPrefixAndSuffixAreEmpty() {
 
 	@Test
 	public void constructorWhenIdContainsPrefixThenIllegalArgumentException() {
-		this.delegates.put('$' + this.bcryptId, this.bcrypt);
+		this.delegates.put('{' + this.bcryptId, this.bcrypt);
 		assertThatIllegalArgumentException()
-				.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$"));
+				.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates));
 	}
 
 	@Test
@@ -131,6 +132,12 @@ public void constructorWhenIdContainsSuffixThenIllegalArgumentException() {
 				.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "", "$"));
 	}
 
+	@Test
+	public void constructorWhenPrefixContainsSuffixThenIllegalArgumentException() {
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> new DelegatingPasswordEncoder(this.bcryptId, this.delegates, "$", "$"));
+	}
+
 	@Test
 	public void setDefaultPasswordEncoderForMatchesWhenNullThenIllegalArgumentException() {
 		assertThatIllegalArgumentException()
