Incorrect code comment on users-permission register controller.

[psikoi]

Describe the bug
Nothing major, this is probably a typo or an outdated code comment:

    // Throw an error if the password selected by the user
    // contains more than two times the symbol '$'.
    if (strapi.plugins['users-permissions'].services.user.isHashed(params.password)) {
      return ctx.badRequest(
        null,
        formatError({
          id: 'Auth.form.error.password.format',
          message: 'Your password cannot contain more than three times the symbol `$`.',
        })
      );
    }

Link to snippet:

strapi/packages/strapi-plugin-users-permissions/controllers/Auth.js

Line 415 in 331b738

// Throw an error if the password selected by the user

As you can see, the comment says two times, while the error message AND the isHashed function say three is the correct amount.

This seems to still be in master code as of this post.

[lauriejim]

Thank you, can you please submit a PR to update this comment.
Thank you.

[psikoi]

Will do.

[derrickmehaffy]

Fixed in above PR

[borm]

@derrickmehaffy, can u explain please why user cant have more than two times the symbol '$' in his password?
any security risks?

[derrickmehaffy]

I'm not aware of that limitation, I would offer a guess to the cause as being the regex we use to validate the password. Can you open a new bug report @borm

[jscottsf]

It's being use to detect whether the password has been bcrypted. hashPassword calls isHashed which does the check. Even worse, the validation is NOT done in resetPassword so a user could type in a password with enough dollar signs to "appear" hashed and inadvertently set their password to null.

Overall this feels wonky and inconsistent. Hmmm.

Decided to override the controller/service files and use a regex check for bcryptiness ^[$]2[abxy]?[$](?:0[4-9]|[12][0-9]|3[01])[$][./0-9a-zA-Z]{53}$. Also adding a validation to resetPassword. Hope this helps someone.