From 1687537f6ea03312183059fed45f12f350de2f17 Mon Sep 17 00:00:00 2001 From: Hugh Willson Date: Thu, 19 Oct 2017 07:41:12 -0400 Subject: [PATCH] Switch to parseInt; Use safer method of extracting rounds --- packages/accounts-password/password_server.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/accounts-password/password_server.js b/packages/accounts-password/password_server.js index beb8abcdf0..1804344724 100644 --- a/packages/accounts-password/password_server.js +++ b/packages/accounts-password/password_server.js @@ -53,8 +53,16 @@ var hashPassword = function (password) { }; // Extract the number of rounds used in the specified bcrypt hash. -const getRoundsFromBcryptHash = - hash => hash ? Number(hash.substring(4, 6)) : null; +const getRoundsFromBcryptHash = hash => { + let rounds; + if (hash) { + const hashSegments = hash.split('$'); + if (hashSegments.length > 2) { + rounds = parseInt(hashSegments[2], 10); + } + } + return rounds; +}; // Check whether the provided password matches the bcrypt'ed password in // the database user record. `password` can be a string (in which case