From a5082ab1124ee16365482e1cee892017bc265be6 Mon Sep 17 00:00:00 2001
From: Sofia Papagiannaki <papagian@users.noreply.github.com>
Date: Tue, 25 May 2021 18:35:54 +0300
Subject: [PATCH] Chore: additional check when decrypting values (#34637)

* Chore: additional check when decrypting values

* Apply suggestions from code review
---
 pkg/util/encryption.go      | 4 ++++
 pkg/util/encryption_test.go | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/pkg/util/encryption.go b/pkg/util/encryption.go
index 6ecda766b47..99d56dc22a1 100644
--- a/pkg/util/encryption.go
+++ b/pkg/util/encryption.go
@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
+	"fmt"
 	"io"
 
 	"golang.org/x/crypto/pbkdf2"
@@ -15,6 +16,9 @@ const saltLength = 8
 
 // Decrypt decrypts a payload with a given secret.
 func Decrypt(payload []byte, secret string) ([]byte, error) {
+	if len(payload) < saltLength {
+		return nil, fmt.Errorf("unable to compute salt")
+	}
 	salt := payload[:saltLength]
 	key, err := encryptionKeyToBytes(secret, string(salt))
 	if err != nil {
diff --git a/pkg/util/encryption_test.go b/pkg/util/encryption_test.go
index 2d8ee534c7a..d3d63aa4d16 100644
--- a/pkg/util/encryption_test.go
+++ b/pkg/util/encryption_test.go
@@ -27,4 +27,11 @@ func TestEncryption(t *testing.T) {
 
 		assert.Equal(t, []byte("grafana"), decrypted)
 	})
+
+	t.Run("decrypting empty payload should not fail", func(t *testing.T) {
+		_, err := Decrypt([]byte(""), "1234")
+		require.Error(t, err)
+
+		assert.Equal(t, "unable to compute salt", err.Error())
+	})
 }