From 59da4c911999965b235d814d5f9e5511354af560 Mon Sep 17 00:00:00 2001
From: firaja <david.bert@ymail.com>
Date: Fri, 28 Aug 2020 10:16:39 +0200
Subject: [PATCH] #6: SecureString.toString() hides the lenght of the
 underlying password

---
 src/main/java/com/password4j/SecureString.java | 13 +++++--------
 src/test/com/password4j/StringTest.java        |  2 +-
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/main/java/com/password4j/SecureString.java b/src/main/java/com/password4j/SecureString.java
index 038e4160..5bcab387 100644
--- a/src/main/java/com/password4j/SecureString.java
+++ b/src/main/java/com/password4j/SecureString.java
@@ -139,20 +139,17 @@ private static synchronized void clear(char[] chars)
     }
 
     /**
+     * Returns a constant {@link String} in order to prevent data leaks due
+     * to accidental usage of a {@link SecureString} objects in methods like
+     * {@link java.io.PrintStream#print(Object)}, loggers, etc.
+     *
      * @return a masked version of this object.
      * @since 1.2.0
      */
     @Override
     public String toString()
     {
-        StringBuilder sb = new StringBuilder(chars.length + 2);
-        sb.append("SecureString[");
-        for (int i = 0; i < chars.length; i++)
-        {
-            sb.append('*');
-        }
-        sb.append(']');
-        return sb.toString();
+        return "SecureString[****]";
     }
 
     /**
diff --git a/src/test/com/password4j/StringTest.java b/src/test/com/password4j/StringTest.java
index 1af62f5a..c5d8d4a2 100644
--- a/src/test/com/password4j/StringTest.java
+++ b/src/test/com/password4j/StringTest.java
@@ -93,7 +93,7 @@ public void testEmpty()
     {
         SecureString ss = new SecureString(new char[0]);
 
-        Assert.assertEquals("SecureString[]", ss.toString());
+        Assert.assertEquals("SecureString[****]", ss.toString());
         Assert.assertEquals(0, ss.length());
         try
         {