BCryptPasswordEncoderTests should password limit of 72 bytes #18133
Description
The test is using the string size in chars, but not in bytes (bytes is the internal check to fix CVE-2025-22228)
This is a pointless check since a password of 72 characters that has the char 'ñ' will pass the test but not be a valid password (72 chars, but 73 bytes). 'ñ' is 2 bytes in utf-8
Line 222:
Example of a valid test:
@Test
void passwordLargerThan72BytesShouldThrowIllegalArgumentException() {
// BCrypt max password size is 72 bytes.
// We create a password that is 72 bytes long but has less than 72 characters.
// The emoji '😀' is a 4-byte UTF-8 character.
// We use 68 single-byte characters + 1 four-byte character (68 + 4 = 72 bytes)
String singleByteChars = "a".repeat(68);
String password72Bytes = singleByteChars + "😀";
// Total length: 69 characters.
assertThat(password72Bytes.length()).isEqualTo(69);
// Total byte length should be 72 bytes.
assertThat(password72Bytes.getBytes(StandardCharsets.UTF_8).length).isEqualTo(72);
// This 72-byte password should PASS (it's the maximum allowed length).
assertThatNoException()
.isThrownBy(() -> encoder.encode(password72Bytes));
// Now, create a password that is 73 bytes long.
// 69 single-byte characters + 1 four-byte character (69 + 4 = 73 bytes)
String singleByteCharsTooLong = "a".repeat(69);
String password73Bytes = singleByteCharsTooLong + "😀";
// Total byte length should be 73 bytes.
assertThat(password73Bytes.getBytes(StandardCharsets.UTF_8).length).isEqualTo(73);
// This 73-byte password should FAIL.
// The test will confirm that the exception is based on byte length, not character length.
assertThatIllegalArgumentException()
.isThrownBy(() -> encoder.encode(password73Bytes))
.withMessageContaining("Password is longer than 72 bytes");
}