fix(security): enforce 128-character maximum password length

SHA-512 crypt has no 72-char truncation like bcrypt, but an unbounded password length allows DoS via CPU exhaustion. Caps input at 128 chars and adds unit tests for boundary conditions in checkPasswdConstraint. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 10:41:08 +07:00 · 2026-03-23 10:41:08 +07:00 · 54b74fb233
commit 54b74fb233
parent 86a83bc5e7
2 changed files with 36 additions and 0 deletions
--- a/change.go
+++ b/change.go
@ -11,6 +11,9 @@ func checkPasswdConstraint(password string) error {
 	if len(password) < 12 {
 		return errors.New("too short, please choose a password at least 12 characters long")
 	}
+	if len(password) > 128 {
+		return errors.New("too long, please choose a password at most 128 characters long")
+	}

 	var hasUpper, hasLower, hasDigit bool
 	for _, r := range password {
--- a/change_test.go
+++ b/change_test.go
@ -0,0 +1,33 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestCheckPasswdConstraint(t *testing.T) {
+	tests := []struct {
+		name    string
+		pass    string
+		wantErr bool
+	}{
+		{"valid password", "Correct1Horse", false},
+		{"too short", "Short1A", true},
+		{"exactly 12 chars", "Abcdefgh1234", false},
+		{"no uppercase", "correct1horse", true},
+		{"no lowercase", "CORRECT1HORSE", true},
+		{"no digit", "CorrectHorse!", true},
+		{"exactly 128 chars", strings.Repeat("a", 126) + "A1", false},
+		{"129 chars is too long", strings.Repeat("a", 127) + "A1", true},
+		{"very long password", strings.Repeat("Aa1", 100), true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkPasswdConstraint(tt.pass)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("checkPasswdConstraint(%q) error = %v, wantErr %v", tt.pass, err, tt.wantErr)
+			}
+		})
+	}
+}