It's well-established that running the command-line password hash utility will give a different hash each time; eg,
https://discourse.nodered.org/t/hashing-password
But the node-red-contrib-bcrypt node seems to give the same hash each time:
(From the example provided at node-red-contrib-bcrypt (node) - Node-RED )
Is this expected?
That is a known issue with that node:
opened 04:36PM - 18 Feb 21 UTC
This node will generate the same output on multiple events. Looking at the code,… it seems the salt is generated on node initialisation and is then used throughout the lifetime of the node.
I believe this is a major security issue as it would cause every password hashed using this node to be using the same salt, defeating the entire purpose of the salt.
I think the salt should be regenerated for every 'encrypt' request. The salt should not be generated for the 'verify' request (as the salt is included in the hash already).
You should add to the existing GitHub issue. However the node hasn’t been updated in three years so it may be abandoned.
3 Likes
Hi Paul,
Yes indeed the genSaltSync
(see here ) should be called - in this particular use case - for every input message...
1 Like
Thanks, @BartButenaers & @zenofmud .
There is a solution proposed in that GitHub issue - how would I apply that to what's installed in my Node-RED (on Raspberry Pi) ?
You could edit the code and make the change. On the Pi, do a
cd $HOME/.node-red/node_modules/node-red-contib-bcrypt/bcrypt
you could then use nano
, or vi
or another editor to edit the bcrypt.js
file. Make the change and save it, then stop and restart NR and see if it fixed the issue.
2 Likes
or try installing directly from the Github branch of the person that forked the original node and did the patch.
not the cleanest way .. unless someone contacts them again to release a new node
from .node-red
folder
npm install martenjacobs/node-red-contrib-bcrypt#patch-1
Source of the list of commands
1 Like
Actually, the author has just done an update - v0.1.3 does now give a different hash each time:
3 Likes
system
Closed
26 July 2022 18:02
8
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.