Chore: additional check when decrypting values (#34637)

* Chore: additional check when decrypting values

* Apply suggestions from code review

pkg/util/encryption.go

@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
+	"fmt"
 	"io"
 
 	"golang.org/x/crypto/pbkdf2"
@@ -15,6 +16,9 @@ const saltLength = 8
 
 // Decrypt decrypts a payload with a given secret.
 func Decrypt(payload []byte, secret string) ([]byte, error) {
+	if len(payload) < saltLength {
+		return nil, fmt.Errorf("unable to compute salt")
+	}
 	salt := payload[:saltLength]
 	key, err := encryptionKeyToBytes(secret, string(salt))
 	if err != nil {

pkg/util/encryption_test.go

@@ -27,4 +27,11 @@ func TestEncryption(t *testing.T) {
 
 		assert.Equal(t, []byte("grafana"), decrypted)
 	})
+
+	t.Run("decrypting empty payload should not fail", func(t *testing.T) {
+		_, err := Decrypt([]byte(""), "1234")
+		require.Error(t, err)
+
+		assert.Equal(t, "unable to compute salt", err.Error())
+	})
 }