Regex for encryption too strict #1908
Comments
ForwardKeys
added a commit
to ForwardKeys/light-4j
that referenced
this issue
Oct 24, 2023
CRYPT regexp in YmlConstants has been adapted only to allow AES alike passwords, rendering all previous passwords no longer valid. This regex also invalidates the possibility of using customised Decryptors.
younggwon1
pushed a commit
to younggwon1/light-4j
that referenced
this issue
Feb 10, 2024
CRYPT regexp in YmlConstants has been adapted only to allow AES alike passwords, rendering all previous passwords no longer valid. This regex also invalidates the possibility of using customised Decryptors.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! We've seen the fix on https://github.com/networknt/light-4j/blob/master/config/src/main/java/com/networknt/config/yml/YmlConstants.java has been reverted, and the constant used for the regex to match encrypted passwords is now way more restrictive than it used to be.
It used to be like:
public static final Pattern CRYPT_PATTERN = Pattern.compile("^CRYPT:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$");And now it's like:
public static final Pattern CRYPT_PATTERN = Pattern.compile("CRYPT:[a-zA-Z0-9:]+");The consequence is all the passwords already in place cannot be decrypted, as they don't match this new regex. This change was fixed in https://github.com/networknt/light-4j/issues/1825 to solve the issue, but it has been reverted. Could it be that was reverted by mistake?
Many thanks in advance
The text was updated successfully, but these errors were encountered: