fix: resolve Sscanf greedy parsing bug in VerifyPassword

This commit is contained in:
root
2026-06-29 16:25:58 +00:00
parent a81a8e6901
commit 3072cda051
+19 -10
View File
@@ -5,6 +5,7 @@ import (
"crypto/subtle" "crypto/subtle"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"strings"
"golang.org/x/crypto/argon2" "golang.org/x/crypto/argon2"
) )
@@ -43,22 +44,30 @@ func HashPassword(password string) (string, error) {
// VerifyPassword compares a password against an encoded Argon2id hash. // VerifyPassword compares a password against an encoded Argon2id hash.
func VerifyPassword(password, encodedHash string) (bool, error) { func VerifyPassword(password, encodedHash string) (bool, error) {
var version int parts := strings.Split(encodedHash, "$")
var memory, time uint32 if len(parts) != 6 {
var threads uint8 return false, fmt.Errorf("invalid hash format")
var salt, hash []byte
_, err := fmt.Sscanf(encodedHash, "$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", &version, &memory, &time, &threads, &salt, &hash)
if err != nil {
return false, fmt.Errorf("parse hash: %w", err)
} }
decodedSalt, err := base64.RawStdEncoding.DecodeString(string(salt)) var version int
_, err := fmt.Sscanf(parts[2], "v=%d", &version)
if err != nil {
return false, fmt.Errorf("parse version: %w", err)
}
var memory, time uint32
var threads uint8
_, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &threads)
if err != nil {
return false, fmt.Errorf("parse params: %w", err)
}
decodedSalt, err := base64.RawStdEncoding.DecodeString(parts[4])
if err != nil { if err != nil {
return false, fmt.Errorf("decode salt: %w", err) return false, fmt.Errorf("decode salt: %w", err)
} }
decodedHash, err := base64.RawStdEncoding.DecodeString(string(hash)) decodedHash, err := base64.RawStdEncoding.DecodeString(parts[5])
if err != nil { if err != nil {
return false, fmt.Errorf("decode hash: %w", err) return false, fmt.Errorf("decode hash: %w", err)
} }