Merge pull request #13408 from zhongwencool/password-crash

chore: improve auth error for invalid salt/password type
2024-07-05 11:44:21 +08:00 · 2024-07-05 11:44:21 +08:00 · 094259f444
parent 9d0b5a9bc6 755d6c9e0f
commit 094259f444
4 changed files with 22 additions and 2 deletions
--- a/apps/emqx/src/emqx_passwd.erl
+++ b/apps/emqx/src/emqx_passwd.erl
@ -102,7 +102,11 @@ hash({SimpleHash, _Salt, disable}, Password) when is_binary(Password) ->
 hash({SimpleHash, Salt, prefix}, Password) when is_binary(Password), is_binary(Salt) ->
    hash_data(SimpleHash, <<Salt/binary, Password/binary>>);
 hash({SimpleHash, Salt, suffix}, Password) when is_binary(Password), is_binary(Salt) ->
-    hash_data(SimpleHash, <<Password/binary, Salt/binary>>).
+    hash_data(SimpleHash, <<Password/binary, Salt/binary>>);
+hash({_SimpleHash, Salt, _SaltPos}, _Password) when not is_binary(Salt) ->
+    error({salt_not_string, Salt});
+hash({_SimpleHash, _Salt, _SaltPos}, Password) when not is_binary(Password) ->
+    error({password_not_string, Password}).

 -spec hash_data(hash_type(), binary()) -> binary().
 hash_data(plain, Data) when is_binary(Data) ->
--- a/apps/emqx/test/emqx_passwd_SUITE.erl
+++ b/apps/emqx/test/emqx_passwd_SUITE.erl
@ -124,4 +124,18 @@ t_hash(_) ->
    false = emqx_passwd:check_pass({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Pbkdf2, Password),

    %% Invalid derived_length, pbkdf2 fails
-    ?assertException(error, _, emqx_passwd:hash({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Password)).
+    ?assertException(error, _, emqx_passwd:hash({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Password)),
+
+    %% invalid salt (not binary)
+    ?assertException(
+        error,
+        {salt_not_string, false},
+        emqx_passwd:hash({sha256, false, suffix}, Password)
+    ),
+
+    %% invalid password (not binary)
+    ?assertException(
+        error,
+        {password_not_string, bad_password_type},
+        emqx_passwd:hash({sha256, Salt, suffix}, bad_password_type)
+    ).
--- a/changes/ce/fix-13398.en.md
+++ b/changes/ce/fix-13398.en.md
@ -0,0 +1 @@
+Fix acl rule clearing when reloading built-in-database for authorization using command line.
--- a/changes/ce/fix-13408.en.md
+++ b/changes/ce/fix-13408.en.md
@ -0,0 +1 @@
+Fix function_clause crash that occurs when attempting to authenticate with an invalid type of salt or password.
				`@ -0,0 +1 @@`
				`Fix acl rule clearing when reloading built-in-database for authorization using command line.`
				`@ -0,0 +1 @@`
				`Fix function_clause crash that occurs when attempting to authenticate with an invalid type of salt or password.`