You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is some interesting behavior going on when generating a hash with a salt that fits the validation regex, but has a version that doesn't exist, in that it returns the empty string instead of raising:
> salt = "$2a$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> "$2a$10$TD5b9p9vdGsuEwKyrtSua.sh9lprEf.VOyagv/sm7PbdPVT46i.1K"
> salt = "$2x$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> "$2x$10$TD5b9p9vdGsuEwKyrtSua.sh9lprEf.VOyagv/sm7PbdPVT46i.1K"
> salt = "$00$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> ""
This behavior doesn't appear to be covered by specs, and looks to be slightly dangerous if undetected. Would it be a good idea to change the regex at https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/engine.rb#L81
from /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
to /^\$2[abxy]\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
, or am I missing some use-case here?
The text was updated successfully, but these errors were encountered:
There is some interesting behavior going on when generating a hash with a salt that fits the validation regex, but has a version that doesn't exist, in that it returns the empty string instead of raising:
This behavior doesn't appear to be covered by specs, and looks to be slightly dangerous if undetected. Would it be a good idea to change the regex at https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/engine.rb#L81
from
/^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
to
/^\$2[abxy]\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
, or am I missing some use-case here?
The text was updated successfully, but these errors were encountered: