ensure decode_password function properly handles plaintext but vali…

…d base64 passwords (#5698)
ethyca · Jan 21, 2025 · bbba31d · bbba31d
1 parent 7043171
commit bbba31d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -52,6 +52,7 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - Fixed column ordering issue in the Data Map report [#5649](https://github.com/ethyca/fides/pull/5649)
 - Fixed issue where the Data Map report filter dialog was missing an Accordion item label [#5649](https://github.com/ethyca/fides/pull/5649)
 - Improved database session management for long running access request tasks [#5667](https://github.com/ethyca/fides/pull/5667)
+- Ensured decode_password function properly handles plaintext but valid base64 passwords [#5698](https://github.com/ethyca/fides/pull/5698)
 
 ## [2.52.0](https://github.com/ethyca/fides/compare/2.51.2...2.52.0)
 

diff --git a/src/fides/api/cryptography/cryptographic_util.py b/src/fides/api/cryptography/cryptographic_util.py
@@ -13,7 +13,7 @@ def decode_password(password: str) -> str:
     """
     try:
         return b64_str_to_str(password)
-    except Error:
+    except (Error, UnicodeDecodeError):
         return password
 
 

diff --git a/tests/lib/test_cryptography_util.py b/tests/lib/test_cryptography_util.py
@@ -104,7 +104,12 @@ def test_str_to_b64_str() -> None:
     "password, expected",
     [
         ("Testpassword1!", "Testpassword1!"),
+        (
+            "Test_1234",
+            "Test_1234",
+        ),  # this is actually valid base64 (but should be treated as plaintext), so this represents an edge case
         (str_to_b64_str("Testpassword1!"), "Testpassword1!"),
+        (str_to_b64_str("Test_1234"), "Test_1234"),
     ],
 )
 def test_decode_password(password, expected):