fix hashed password recognition (#1270)

membrane · Sep 11, 2024 · 485ff1b · 485ff1b
1 parent efc98fb
commit 485ff1b
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/.../com/predic8/membrane/core/interceptor/authentication/session/StaticUserDataProvider.java b/.../com/predic8/membrane/core/interceptor/authentication/session/StaticUserDataProvider.java
@@ -80,7 +80,7 @@ public Map<String, String> verify(Map<String, String> postData) {
 		return userAttributes.getAttributes();
 	}
 
-	private boolean isHashedPassword(String postDataPassword) {
+	public boolean isHashedPassword(String postDataPassword) {
 		String[] split = postDataPassword.split(Pattern.quote("$"));
 		if (split.length != 4)
 			return false;
@@ -89,7 +89,7 @@ private boolean isHashedPassword(String postDataPassword) {
 		if (split[3].length() < 20)
 			return false;
 		// Check if second part is a valid hex
-		return Pattern.matches("[a-fA-F0-9]{40}", split[2]);
+		return Pattern.matches("[a-fA-F0-9]{16,512}", split[2]);
 	}
 
 	private String createPasswdCompatibleHash(String algo, String password, String salt) {

diff --git a/core/src/test/java/com/predic8/membrane/core/UnitTests.java b/core/src/test/java/com/predic8/membrane/core/UnitTests.java
@@ -34,6 +34,7 @@
 import com.predic8.membrane.core.interceptor.apikey.extractors.ApiKeyHeaderExtractorTest;
 import com.predic8.membrane.core.interceptor.apikey.stores.ApiKeyFileStoreTest;
 import com.predic8.membrane.core.interceptor.authentication.BasicAuthenticationInterceptorTest;
+import com.predic8.membrane.core.interceptor.authentication.session.StaticUserDataProviderTest;
 import com.predic8.membrane.core.interceptor.balancer.*;
 import com.predic8.membrane.core.interceptor.beautifier.BeautifierInterceptorTest;
 import com.predic8.membrane.core.interceptor.cbr.XPathCBRInterceptorTest;
@@ -105,6 +106,7 @@
 		ResponseTest.class,
 		ResponseBuilderTest.class,
 		BasicAuthenticationInterceptorTest.class,
+		StaticUserDataProviderTest.class,
         MagicTest.class, WSDLInterceptorTest.class,
         AccessControlParserTest.class, HostnameTest.class, ParseTypeTest.class, IpRangeTest.class,
         DispatchingInterceptorTest.class,

diff --git a/.../predic8/membrane/core/interceptor/authentication/session/StaticUserDataProviderTest.java b/.../predic8/membrane/core/interceptor/authentication/session/StaticUserDataProviderTest.java
@@ -0,0 +1,16 @@
+package com.predic8.membrane.core.interceptor.authentication.session;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class StaticUserDataProviderTest {
+    @Test
+    public void test() {
+        StaticUserDataProvider sudp = new StaticUserDataProvider();
+        Assertions.assertTrue(
+                sudp.isHashedPassword("$5$9d3c06e19528aebb$cZBA3E3SdoUvk865.WyPA5iNUEA7uwDlDX7D5Npkh8/"));
+        Assertions.assertTrue(
+                sudp.isHashedPassword("$5$99a6391616158b48$PqFPn9f/ojYdRcu.TVsdKeeRHKwbWApdEypn6wlUQn5"));
+
+    }
+}