#6: SecureString.toString() hides the lenght of the underlying password

Password4j · Aug 28, 2020 · 59da4c9 · 59da4c9
1 parent 38a3d37
commit 59da4c9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/src/main/java/com/password4j/SecureString.java b/src/main/java/com/password4j/SecureString.java
@@ -139,20 +139,17 @@ private static synchronized void clear(char[] chars)
     }
 
     /**
+     * Returns a constant {@link String} in order to prevent data leaks due
+     * to accidental usage of a {@link SecureString} objects in methods like
+     * {@link java.io.PrintStream#print(Object)}, loggers, etc.
+     *
      * @return a masked version of this object.
      * @since 1.2.0
      */
     @Override
     public String toString()
     {
-        StringBuilder sb = new StringBuilder(chars.length + 2);
-        sb.append("SecureString[");
-        for (int i = 0; i < chars.length; i++)
-        {
-            sb.append('*');
-        }
-        sb.append(']');
-        return sb.toString();
+        return "SecureString[****]";
     }
 
     /**

diff --git a/src/test/com/password4j/StringTest.java b/src/test/com/password4j/StringTest.java
@@ -93,7 +93,7 @@ public void testEmpty()
     {
         SecureString ss = new SecureString(new char[0]);
 
-        Assert.assertEquals("SecureString[]", ss.toString());
+        Assert.assertEquals("SecureString[****]", ss.toString());
         Assert.assertEquals(0, ss.length());
         try
         {