[11.x] Fix Bcrypt/Argon/Argon2I Hashers not checking database field for nullish value before checking hash compatibility #52297
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates Bcrypt Hasher implementation to correctly check if the `$hashedValue` field being checked for Hash Algorithm compatibility is not `null` or of length `0`. This gives us the behavior before hash verification was added to the framework that will trigger the framework to return early with a proper response of `false` as opposed to a generic `RuntimeException` being thrown for a value that should never have been checked for hash algorithm compatibility
localpath
commented
Jul 28, 2024
| @@ -18,13 +18,13 @@ class Argon2IdHasher extends ArgonHasher | |||
| */ | |||
| public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = []) | |||
| { | |||
There was a problem hiding this comment.
seems like a logic error to check for the hash compatibility before checking if the hashed value is even non-null or empty.
the original if statement would never be reached. contrast to the other hashing implementations that were missing this entirely
if (is_null($hashedValue) || strlen($hashedValue) === 0) {
return false;
}
localpath
commented
Jul 28, 2024
| @@ -67,6 +67,10 @@ public function make(#[\SensitiveParameter] $value, array $options = []) | |||
| */ | |||
| public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = []) | |||
| { | |||
There was a problem hiding this comment.
if we don't check for a nullish or empty value first, we'll always throw a runtime exception which means the end user won't receive the normally expected 401 or similar failed to authenticate, but rather a 500 server error which makes applications look broken
localpath
changed the title
localpath
changed the title
|
cc @valorin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backstory:
If we don't check for a nullish or empty value first before checking if a given
$hashedValueis compatible with our apps algorithm, we'll always throw a runtime exception which means the end user won't receive the normally expected 401/422 or similar failed to authenticate, but rather a 500 server error which makes applications look broken.Started seeing
500errors for users attempting to login to the app after hash recheck landed in the framework. If a users password field is null or empty in the database they should receive a 401/422 or similar authentication exception/response. This has caused quite a bit of issues as you can imagine the context of a 500 level error vs a 401/422 which is expected if someone is trying to login but hasn't yet set a password.Seems like this was an oversight in this feature being rolled out since we can see some inconsistencies and incorrect logical checks being missing or out of order in the hashing implementations.
Updates
BcryptHasherArgonHasherandArgon2IdHasherHash implementations to correctly check if the$hashedValuefield being checked for Hash Algorithm compatibility is notnullor of length0. This gives us the behavior before hash verification was added to the framework that will trigger the framework to return early with a proper response offalseas opposed to a genericRuntimeExceptionbeing thrown for a value that should never have been checked for hash algorithm compatibility.To reproduce:
nullin the database500level error response because of the missing statements being added hereTo show original behavior:
HASH_VERIFY=falsein your.envnullThanks for all you do and hopefully this makes it in the framework!