bcrypt - npm Package Compare versions

Comparing version 5.0.0 to 5.0.1

bcrypt.js

 'use strict';
 
-var binary = require('node-pre-gyp');
+var nodePreGyp = require('@mapbox/node-pre-gyp');
 var path = require('path');
-var binding_path = binary.find(path.resolve(path.join(__dirname, './package.json')));
+var binding_path = nodePreGyp.find(path.resolve(path.join(__dirname, './package.json')));
 var bindings = require(binding_path);
@@ -86,3 +86,3 @@
 /// hash data using a salt
-/// @param {String} data the data to encrypt
+/// @param {String|Buffer} data the data to encrypt
 /// @param {String} salt the salt to use when hashing
@@ -95,4 +95,4 @@ /// @return {String} hash
 
-    if (typeof data !== 'string' || (typeof salt !== 'string' && typeof salt !== 'number')) {
-        throw new Error('data must be a string and salt must either be a salt string or a number of rounds');
+    if (!(typeof data === 'string' || data instanceof Buffer) || (typeof salt !== 'string' && typeof salt !== 'number')) {
+        throw new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds');
     }
@@ -108,3 +108,3 @@
 /// hash data using a salt
-/// @param {String} data the data to encrypt
+/// @param {String|Buffer} data the data to encrypt
 /// @param {String} salt the salt to use when hashing
@@ -116,3 +116,3 @@ /// @param {Function} cb callback(err, hash)
     if (typeof data === 'function') {
-        error = new Error('data must be a string and salt must either be a salt string or a number of rounds');
+        error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds');
         return process.nextTick(function() {
@@ -124,3 +124,3 @@ data(error);
     if (typeof salt === 'function') {
-        error = new Error('data must be a string and salt must either be a salt string or a number of rounds');
+        error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds');
         return process.nextTick(function() {
@@ -148,4 +148,4 @@ salt(error);
 
-    if (typeof data !== 'string' || (typeof salt !== 'string' && typeof salt !== 'number')) {
-        error = new Error('data must be a string and salt must either be a salt string or a number of rounds');
+    if (!(typeof data === 'string' || data instanceof Buffer) || (typeof salt !== 'string' && typeof salt !== 'number')) {
+        error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds');
         return process.nextTick(function() {
@@ -167,3 +167,3 @@ cb(error);
 /// compare raw data to hash
-/// @param {String} data the data to hash and compare
+/// @param {String|Buffer} data the data to hash and compare
 /// @param {String} hash expected hash
@@ -176,4 +176,4 @@ /// @return {bool} true if hashed data matches hash
 
-    if (typeof data !== 'string' || typeof hash !== 'string') {
-        throw new Error('data and hash must be strings');
+    if (!(typeof data === 'string' || data instanceof Buffer) || typeof hash !== 'string') {
+        throw new Error('data must be a string or Buffer and hash must be a string');
     }
@@ -185,3 +185,3 @@
 /// compare raw data to hash
-/// @param {String} data the data to hash and compare
+/// @param {String|Buffer} data the data to hash and compare
 /// @param {String} hash expected hash
@@ -223,3 +223,3 @@ /// @param {Function} cb callback(err, matched) - matched is true if hashed data matches hash
 
-    if (typeof data !== 'string' || typeof hash !== 'string') {
+    if (!(typeof data === 'string' || data instanceof Buffer) || typeof hash !== 'string') {
         error = new Error('data and hash must be strings');
@@ -226,0 +226,0 @@ return process.nextTick(function() {

CHANGELOG.md

@@ -0,1 +1,5 @@
+# 5.0.1 (2021-02-22)
+
+  * Update `node-pre-gyp` to 1.0.0
+
 # 5.0.0 (2020-06-02)
@@ -2,0 +6,0 @@

package.json

@@ -14,3 +14,3 @@ {
   "main": "./bcrypt",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "author": "Nick Campbell (https://github.com/ncb000gt)",
@@ -33,4 +33,4 @@ "engines": {
   "dependencies": {
-    "node-pre-gyp": "0.15.0",
-    "node-addon-api": "^3.0.0"
+    "@mapbox/node-pre-gyp": "^1.0.0",
+    "node-addon-api": "^3.1.0"
   },
@@ -37,0 +37,0 @@ "devDependencies": {

README.md

@@ -25,5 +25,5 @@ # node.bcrypt.js
 | 4              | <= 2.1.0          |
-| 8              | >= 1.0.3 < 4.0.0 |
+| 8              | >= 1.0.3 < 4.0.0  |
 | 10, 11         | >= 3              |
-| 12             | >= 3.0.6          |
+| 12 onwards     | >= 3.0.6          |
 
@@ -45,2 +45,4 @@ `node-gyp` only works with stable/released versions of node. Since the `bcrypt` module uses `node-gyp` to build and install, you'll need a stable version of node to use bcrypt. If you do not, you'll likely see an error that starts with:
 * An [issue with passwords][jtr] was found with a version of the Blowfish algorithm developed for John the Ripper. This is not present in the OpenBSD version and is thus not a problem for this module. HT [zooko][zooko].
+* Versions `< 5.0.0` suffer from bcrypt wrap-around bug and _will truncate passwords >= 255 characters leading to severely weakened passwords_. Please upgrade at  earliest. See [this wiki page][wrap-around-bug] for more details.
+* Versions `< 5.0.0` _do not handle NUL characters inside passwords properly leading to all subsequent characters being dropped and thus resulting in severely  weakened passwords_. Please upgrade at earliest. See [this wiki page][improper-nuls] for more details.
 
@@ -286,4 +288,24 @@ ## Compatibility Note
 
-Resultant hashes will be 60 characters long.
+Resultant hashes will be 60 characters long and they will include the salt among other parameters, as follows:
 
+`$[algorithm]$[cost]$[salt][hash]`
+
+- 2 chars hash algorithm identifier prefix. `"$2a$" or "$2b$"` indicates BCrypt
+- Cost-factor (n). Represents the exponent used to determine how many iterations 2^n
+- 16-byte (128-bit) salt, base64 encoded to 22 characters
+- 24-byte (192-bit) hash, base64 encoded to 31 characters
+
+Example:
+```
+$2b$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
+ |  |  |                     |
+ |  |  |                     hash-value = K0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
+ |  |  |
+ |  |  salt = nOUIs5kJ7naTuTFkBy1veu
+ |  |
+ |  cost-factor => 10 = 2^10 rounds
+ |
+ hash-algorithm identifier => 2b = BCrypt
+```
+
 ## Testing
@@ -336,2 +358,4 @@
 [timingatk]: https://codahale.com/a-lesson-in-timing-attacks/
+[wrap-around-bug]: https://github.com/kelektiv/node.bcrypt.js/wiki/Security-Issues-and-Concerns#bcrypt-wrap-around-bug-medium-severity
+[improper-nuls]: https://github.com/kelektiv/node.bcrypt.js/wiki/Security-Issues-and-Concerns#improper-nul-handling-medium-severity
 
@@ -338,0 +362,0 @@ [shadowfiend]:https://github.com/Shadowfiend

test/implementation.js

@@ -32,2 +32,3 @@ var bcrypt = require('../bcrypt');
         assert.strictEqual(bcrypt.hashSync("Passw\0 you can literally write anything after the NUL character", "$2b$05$CCCCCCCCCCCCCCCCCCCCC."), "$2b$05$CCCCCCCCCCCCCCCCCCCCC.4vJLJQ6nZ/70INTjjSZWQ0iyUek92tu");
+        assert.strictEqual(bcrypt.hashSync(Buffer.from("Passw\0 you can literally write anything after the NUL character"), "$2b$05$CCCCCCCCCCCCCCCCCCCCC."), "$2b$05$CCCCCCCCCCCCCCCCCCCCC.4vJLJQ6nZ/70INTjjSZWQ0iyUek92tu");
         assert.done();
@@ -47,4 +48,8 @@ },
         assert.strictEqual(bcrypt.hashSync("ἓν οἶδα ὅτι οὐδὲν οἶδα", "$2b$12$LeHKWR2bmrazi/6P22Jpau"), "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW");
-        assert.done();
+        assert.strictEqual(bcrypt.hashSync(Buffer.from("ἓν οἶδα ὅτι οὐδὲν οἶδα"), "$2b$12$LeHKWR2bmrazi/6P22Jpau"), "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW");
+        bcrypt.hash(Buffer.from("ἓν οἶδα ὅτι οὐδὲν οἶδα"), "$2b$12$LeHKWR2bmrazi/6P22Jpau", function(err, hash) {
+            assert.strictEqual(hash, "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW");
+            assert.done();
+        });
     }
 }

No alert changes

Improved metrics

Lines of code

972

increased by0.52%

Number of lines in readme file

375

increased by6.84%

Worsened metrics

Total package byte prevSize

118561

decreased by-19.95%

Dependency changes

• + Added@mapbox/node-pre-gyp@^1.0.0

• + Added@mapbox/node-pre-gyp@1.0.11(transitive)

• + Addedagent-base@6.0.2(transitive)

• + Addedansi-regex@5.0.1(transitive)

• + Addedaproba@2.0.0(transitive)

• + Addedare-we-there-yet@2.0.0(transitive)

• + Addedchownr@2.0.0(transitive)

• + Addedcolor-support@1.1.3(transitive)

• + Addeddebug@4.3.4(transitive)

• + Addeddetect-libc@2.0.3(transitive)

• + Addedemoji-regex@8.0.0(transitive)

• + Addedfs-minipass@2.1.0(transitive)

• + Addedgauge@3.0.2(transitive)

• + Addedhttps-proxy-agent@5.0.1(transitive)

• + Addedis-fullwidth-code-point@3.0.0(transitive)

• + Addedmake-dir@3.1.0(transitive)

• + Addedminipass@3.3.65.0.0(transitive)

• + Addedminizlib@2.1.2(transitive)

• + Addedmkdirp@1.0.4(transitive)

• + Addedms@2.1.2(transitive)

• + Addednode-fetch@2.7.0(transitive)

• + Addednopt@5.0.0(transitive)

• + Addednpmlog@5.0.1(transitive)

• + Addedreadable-stream@3.6.2(transitive)

• + Addedrimraf@3.0.2(transitive)

• + Addedsemver@6.3.17.6.2(transitive)

• + Addedstring-width@4.2.3(transitive)

• + Addedstring_decoder@1.3.0(transitive)

• + Addedstrip-ansi@6.0.1(transitive)

• + Addedtar@6.2.1(transitive)

• + Addedtr46@0.0.3(transitive)

• + Addedwebidl-conversions@3.0.1(transitive)

• + Addedwhatwg-url@5.0.0(transitive)

• + Addedyallist@4.0.0(transitive)

• - Removednode-pre-gyp@0.15.0

• - Removedansi-regex@2.1.1(transitive)

• - Removedaproba@1.2.0(transitive)

• - Removedare-we-there-yet@1.1.7(transitive)

• - Removedchownr@1.1.4(transitive)

• - Removedcode-point-at@1.1.0(transitive)

• - Removedcore-util-is@1.0.3(transitive)

• - Removeddebug@3.2.7(transitive)

• - Removeddeep-extend@0.6.0(transitive)

• - Removeddetect-libc@1.0.3(transitive)

• - Removedfs-minipass@1.2.7(transitive)

• - Removedgauge@2.7.4(transitive)

• - Removediconv-lite@0.4.24(transitive)

• - Removedignore-walk@3.0.4(transitive)

• - Removedini@1.3.8(transitive)

• - Removedis-fullwidth-code-point@1.0.0(transitive)

• - Removedisarray@1.0.0(transitive)

• - Removedminimist@1.2.8(transitive)

• - Removedminipass@2.9.0(transitive)

• - Removedminizlib@1.3.3(transitive)

• - Removedmkdirp@0.5.6(transitive)

• - Removedms@2.1.3(transitive)

• - Removedneedle@2.9.1(transitive)

• - Removednode-pre-gyp@0.15.0(transitive)

• - Removednopt@4.0.3(transitive)

• - Removednpm-bundled@1.1.2(transitive)

• - Removednpm-normalize-package-bin@1.0.1(transitive)

• - Removednpm-packlist@1.4.8(transitive)

• - Removednpmlog@4.1.2(transitive)

• - Removednumber-is-nan@1.0.1(transitive)

• - Removedos-homedir@1.0.2(transitive)

• - Removedos-tmpdir@1.0.2(transitive)

• - Removedosenv@0.1.5(transitive)

• - Removedprocess-nextick-args@2.0.1(transitive)

• - Removedrc@1.2.8(transitive)

• - Removedreadable-stream@2.3.8(transitive)

• - Removedrimraf@2.7.1(transitive)

• - Removedsafe-buffer@5.1.2(transitive)

• - Removedsafer-buffer@2.1.2(transitive)

• - Removedsax@1.3.0(transitive)

• - Removedsemver@5.7.2(transitive)

• - Removedstring-width@1.0.2(transitive)

• - Removedstring_decoder@1.1.1(transitive)

• - Removedstrip-ansi@3.0.1(transitive)

• - Removedstrip-json-comments@2.0.1(transitive)

• - Removedtar@4.4.19(transitive)

• - Removedyallist@3.1.1(transitive)

• Updatednode-addon-api@^3.1.0