There is some interesting behavior going on when generating a hash with a salt that fits the validation regex, but has a version that doesn't exist, in that it returns the empty string instead of raising:
> salt = "$2a$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> "$2a$10$TD5b9p9vdGsuEwKyrtSua.sh9lprEf.VOyagv/sm7PbdPVT46i.1K"
> salt = "$2x$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> "$2x$10$TD5b9p9vdGsuEwKyrtSua.sh9lprEf.VOyagv/sm7PbdPVT46i.1K"
> salt = "$00$10$TD5b9p9vdGsuEwKyrtSua."
> BCrypt::Engine.hash_secret("test", salt, 10).to_s
=> ""
This behavior doesn't appear to be covered by specs, and looks to be slightly dangerous if undetected. Would it be a good idea to change the regex at https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/engine.rb#L81
from
/^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
to
/^\$2[abxy]\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
, or am I missing some use-case here?
There is some interesting behavior going on when generating a hash with a salt that fits the validation regex, but has a version that doesn't exist, in that it returns the empty string instead of raising:
This behavior doesn't appear to be covered by specs, and looks to be slightly dangerous if undetected. Would it be a good idea to change the regex at https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/engine.rb#L81
from
/^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/to
/^\$2[abxy]\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/, or am I missing some use-case here?