git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

Ensure complexity, minlength and ispwned are checked on password setting (#18005)

Browse source 
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.

Fix #17977

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
zeripath 2021-12-17 02:03:39 +00:00 committed by GitHub
commit d29b689f81
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
cmd/admin.go
View file

@ -379,6 +379,10 @@ func runChangePassword(c *cli.Context) error {
if err := initDB(ctx); err != nil { if err := initDB(ctx); err != nil {
return err return err
} }
if len(c.String("password")) < setting.MinPasswordLength {
return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
}
if !pwd.IsComplexEnough(c.String("password")) { if !pwd.IsComplexEnough(c.String("password")) {
return errors.New("Password does not meet complexity requirements") return errors.New("Password does not meet complexity requirements")
} }

5
routers/api/v1/admin/user.go
View file

@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/convert" "code.gitea.io/gitea/modules/convert"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/password" "code.gitea.io/gitea/modules/password"
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/modules/web"
"code.gitea.io/gitea/routers/api/v1/user" "code.gitea.io/gitea/routers/api/v1/user"
@ -173,6 +174,10 @@ func EditUser(ctx *context.APIContext) {
} }
if len(form.Password) != 0 { if len(form.Password) != 0 {
if len(form.Password) < setting.MinPasswordLength {
ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength))
return
}
if !password.IsComplexEnough(form.Password) { if !password.IsComplexEnough(form.Password) {
err := errors.New("PasswordComplexity") err := errors.New("PasswordComplexity")
ctx.Error(http.StatusBadRequest, "PasswordComplexity", err) ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)

17
routers/web/user/auth.go
View file

@ -1873,8 +1873,23 @@ func MustChangePasswordPost(ctx *context.Context) {
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form) ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
return return
} }
if !password.IsComplexEnough(form.Password) {
ctx.Data["Err_Password"] = true
ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
return
}
pwned, err := password.IsPwned(ctx, form.Password)
if pwned {
ctx.Data["Err_Password"] = true
errMsg := ctx.Tr("auth.password_pwned")
if err != nil {
log.Error(err.Error())
errMsg = ctx.Tr("auth.password_pwned_err")
}
ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
return
}
var err error
if err = u.SetPassword(form.Password); err != nil { if err = u.SetPassword(form.Password); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return