fix(security): enforce 128-character maximum password length
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
SHA-512 crypt has no 72-char truncation like bcrypt, but an unbounded password length allows DoS via CPU exhaustion. Caps input at 128 chars and adds unit tests for boundary conditions in checkPasswdConstraint. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
86a83bc5e7
commit
54b74fb233
2 changed files with 36 additions and 0 deletions
|
|
@ -11,6 +11,9 @@ func checkPasswdConstraint(password string) error {
|
|||
if len(password) < 12 {
|
||||
return errors.New("too short, please choose a password at least 12 characters long")
|
||||
}
|
||||
if len(password) > 128 {
|
||||
return errors.New("too long, please choose a password at most 128 characters long")
|
||||
}
|
||||
|
||||
var hasUpper, hasLower, hasDigit bool
|
||||
for _, r := range password {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue