From 27ec5b26df8cb53951fc81f9351f200f9d597b18 Mon Sep 17 00:00:00 2001
From: Eduard S <eduard@iden3.io>
Date: Mon, 16 Dec 2019 16:48:38 +0100
Subject: [PATCH] Add test that breaks poseidon due to a security issue

---
 poseidon/poseidon.go      |  8 ++++----
 poseidon/poseidon_test.go | 10 ++++++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/poseidon/poseidon.go b/poseidon/poseidon.go
index 6cc4568..c7b6d28 100644
--- a/poseidon/poseidon.go
+++ b/poseidon/poseidon.go
@@ -168,15 +168,15 @@ func Hash(arr []*big.Int) (*big.Int, error) {
 
 	r := constants.fqR.Zero()
 	for i := 0; i < len(arr); i = i + 5 {
-		var fiveElems []*big.Int
+		var fiveElems [5]*big.Int
 		for j := 0; j < 5; j++ {
 			if i+j < len(arr) {
-				fiveElems = append(fiveElems, arr[i+j])
+				fiveElems[j] = arr[i+j]
 			} else {
-				fiveElems = append(fiveElems, big.NewInt(int64(0)))
+				fiveElems[j] = _constants.Zero
 			}
 		}
-		ph, err := PoseidonHash(fiveElems)
+		ph, err := PoseidonHash(fiveElems[:])
 		if err != nil {
 			return nil, err
 		}
diff --git a/poseidon/poseidon_test.go b/poseidon/poseidon_test.go
index 60aa908..6972d2a 100644
--- a/poseidon/poseidon_test.go
+++ b/poseidon/poseidon_test.go
@@ -66,6 +66,16 @@ func TestPoseidon(t *testing.T) {
 	assert.Equal(t, "10747013384255785702102976082726575658403084163954725275481577373644732938016", hmsg2.String())
 }
 
+func TestPoseidonBroken(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4),
+		big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9),
+		big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
 func BenchmarkPoseidon(b *testing.B) {
 	b12 := big.NewInt(int64(12))
 	b45 := big.NewInt(int64(45))