Chore: additional check when decrypting values (#34637)

* Chore: additional check when decrypting values * Apply suggestions from code review
4 years ago · a5082ab112
parent ab26c4dfa4
commit a5082ab112
2 changed files with 11 additions and 0 deletions
--- a/pkg/util/encryption.go
+++ b/pkg/util/encryption.go
@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
+	"fmt"
 	"io"

 	"golang.org/x/crypto/pbkdf2"
@ -15,6 +16,9 @@ const saltLength = 8

 // Decrypt decrypts a payload with a given secret.
 func Decrypt(payload []byte, secret string) ([]byte, error) {
+	if len(payload) < saltLength {
+		return nil, fmt.Errorf("unable to compute salt")
+	}
 	salt := payload[:saltLength]
 	key, err := encryptionKeyToBytes(secret, string(salt))
 	if err != nil {
--- a/pkg/util/encryption_test.go
+++ b/pkg/util/encryption_test.go
@ -27,4 +27,11 @@ func TestEncryption(t *testing.T) {

 		assert.Equal(t, []byte("grafana"), decrypted)
 	})
+
+	t.Run("decrypting empty payload should not fail", func(t *testing.T) {
+		_, err := Decrypt([]byte(""), "1234")
+		require.Error(t, err)
+
+		assert.Equal(t, "unable to compute salt", err.Error())
+	})
 }