fix(security): enforce 128-character maximum password length
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
SHA-512 crypt has no 72-char truncation like bcrypt, but an unbounded password length allows DoS via CPU exhaustion. Caps input at 128 chars and adds unit tests for boundary conditions in checkPasswdConstraint. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
86a83bc5e7
commit
54b74fb233
2 changed files with 36 additions and 0 deletions
|
|
@ -11,6 +11,9 @@ func checkPasswdConstraint(password string) error {
|
||||||
if len(password) < 12 {
|
if len(password) < 12 {
|
||||||
return errors.New("too short, please choose a password at least 12 characters long")
|
return errors.New("too short, please choose a password at least 12 characters long")
|
||||||
}
|
}
|
||||||
|
if len(password) > 128 {
|
||||||
|
return errors.New("too long, please choose a password at most 128 characters long")
|
||||||
|
}
|
||||||
|
|
||||||
var hasUpper, hasLower, hasDigit bool
|
var hasUpper, hasLower, hasDigit bool
|
||||||
for _, r := range password {
|
for _, r := range password {
|
||||||
|
|
|
||||||
33
change_test.go
Normal file
33
change_test.go
Normal file
|
|
@ -0,0 +1,33 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestCheckPasswdConstraint(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
pass string
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{"valid password", "Correct1Horse", false},
|
||||||
|
{"too short", "Short1A", true},
|
||||||
|
{"exactly 12 chars", "Abcdefgh1234", false},
|
||||||
|
{"no uppercase", "correct1horse", true},
|
||||||
|
{"no lowercase", "CORRECT1HORSE", true},
|
||||||
|
{"no digit", "CorrectHorse!", true},
|
||||||
|
{"exactly 128 chars", strings.Repeat("a", 126) + "A1", false},
|
||||||
|
{"129 chars is too long", strings.Repeat("a", 127) + "A1", true},
|
||||||
|
{"very long password", strings.Repeat("Aa1", 100), true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
err := checkPasswdConstraint(tt.pass)
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("checkPasswdConstraint(%q) error = %v, wantErr %v", tt.pass, err, tt.wantErr)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue