Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecureString.toString exposes password length #6

Closed
nkiesel opened this issue Aug 17, 2020 · 2 comments · Fixed by #7
Closed

SecureString.toString exposes password length #6

nkiesel opened this issue Aug 17, 2020 · 2 comments · Fixed by #7
Assignees
@firaja
Labels
good first issue Good for newcomers type: bug Something isn't working
Milestone
1.3.2

Comments

@nkiesel
Copy link

nkiesel commented Aug 17, 2020

SecureString.toString returns a masked value like [***]. However, the number of * returned is taken from the number of characters of the contained password, exposing it's length. I suggest to always return the same constant (e.g. [*****]) instead.
@nkiesel nkiesel added the type: bug Something isn't working label Aug 17, 2020
@firaja firaja added the good first issue Good for newcomers label Aug 26, 2020
@firaja firaja self-assigned this Aug 28, 2020
@firaja firaja added this to the 1.3.2 milestone Aug 28, 2020
@firaja
Copy link
Member

firaja commented Aug 28, 2020

Even if #lenght() exposes the length of the password, hiding the numbers of the characters in #toString() may prevent data leaks; a case example is a developer that accidentally uses a SecureString object in a method that calls #toString() on some of its arguments (e.g. PrintStream).

Thank you @nkiesel

firaja added a commit that referenced this issue Aug 28, 2020
@firaja
#6: SecureString.toString() hides the lenght of the underlying password
59da4c9
firaja added a commit that referenced this issue Aug 28, 2020
@firaja
Merge pull request #7 from Password4j/bug-6
cb6ec12 
#6: SecureString.toString() hides the lenght of the underlying password
@firaja firaja linked a pull request Aug 28, 2020 that will close this issue
#6: SecureString.toString() hides the lenght of the underlying password #7
Merged
@firaja firaja closed this as completed Aug 28, 2020
@firaja
Copy link
Member

firaja commented Aug 28, 2020

Solved in #7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@firaja firaja

Labels
good first issue Good for newcomers type: bug Something isn't working
Projects
None yet
Milestone
1.3.2
Development

Successfully merging a pull request may close this issue.

#6: SecureString.toString() hides the lenght of the underlying password Password4j/password4j
2 participants
@nkiesel @firaja