Closed
Description
What went wrong?
When hashing a password containing an ASCII NUL character, that character acts as the string terminator. Any following characters are ignored.
What did you expect to happen?
Strings should be handled exactly like in JavaScript, where NUL characters can occur at any position without affecting their length. I realize this is kind of an odd case, but since this is a security-relevant module, it should always behave exactly the way it is supposed to.
Which version of nodejs and OS?
node v12.13.1 on Fedora 31 x86_64
If you find a bug, please write a failing test.
const bcrypt = require('bcrypt');
const assert = require('assert');
const actualPasswd = 'Passw\0rd123';
const badPasswd = 'Passw\0 you can literally write anything after the NUL character';
async function test() {
const hash = await bcrypt.hash(actualPasswd, 12);
const resultWithActualPasswd = await bcrypt.compare(actualPasswd, hash);
const resultWithBadPasswd = await bcrypt.compare(badPasswd, hash);
assert.strictEqual(resultWithActualPasswd, true, 'Should return true with the actual password');
assert.strictEqual(resultWithBadPasswd, false, 'Should return false with a bad password');
}
test()
.then(() => console.log('Test passed'))
.catch(console.error);Metadata
Metadata
Assignees
Labels
No labels