Skip to content

Commit

Permalink
fix opengoofy#1167 Verify password length to prevent denial of servic…
Browse files Browse the repository at this point in the history
…e attack … (opengoofy#1188)

* fix opengoofy#1167 Verify password length to prevent denial of service attack caused by too long password

* Add unit tests
  • Loading branch information
ishikaibin authored Apr 23, 2023
1 parent 3b80c28 commit 8215c2a
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {

private static final int MINI_PASSWORD_LENGTH = 6;

private static final int MAX_PASSWORD_LENGTH = 72;

private final UserMapper userMapper;

private final BCryptPasswordEncoder bCryptPasswordEncoder;
Expand All @@ -74,6 +76,7 @@ public void addUser(UserReqDTO requestParam) {
if (existUserInfo != null) {
throw new RuntimeException("用户名重复");
}
this.checkPasswordLength(requestParam.getPassword());
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
userMapper.insert(insertUser);
Expand All @@ -84,9 +87,7 @@ public void addUser(UserReqDTO requestParam) {
@Transactional(rollbackFor = Exception.class)
public void updateUser(UserReqDTO requestParam) {
if (StringUtil.isNotBlank(requestParam.getPassword())) {
if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) {
throw new RuntimeException("密码最少为6个字符");
}
this.checkPasswordLength(requestParam.getPassword());
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
}
UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
Expand Down Expand Up @@ -129,4 +130,17 @@ private UserRespDTO buildUserInfo(UserInfo userInfo) {
result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
return result;
}

protected void checkPasswordLength(String password) {
if (StringUtil.isBlank(password)) {
throw new RuntimeException("密码不可为空");
}
if (password.length() < MINI_PASSWORD_LENGTH) {
throw new RuntimeException("密码最少为6个字符");
}
if (password.length() > MAX_PASSWORD_LENGTH) {
throw new RuntimeException("密码最多为72个字符");
}
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package cn.hippo4j.auth.service.impl;

import org.junit.Assert;
import org.junit.jupiter.api.Test;

class UserServiceImplTest {

@Test
void checkPasswordLength() {
//密码为null、空串、过短、过长都会抛出异常
UserServiceImpl userService = new UserServiceImpl(null, null, null);
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(null));
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(""));
String shortPassword = "12345";
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(shortPassword));
String LongPassword = "fjhdjfghdsgahfgajdhsgafghdsbvhbervjdsvhdsbhfbhsdbhfbhsdbavbsbdhjfbhjsdbhfbsdbf";
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(LongPassword));
}

}
4 changes: 3 additions & 1 deletion hippo4j-ui/src/views/login/index.vue
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,9 @@ export default {
const validatePassword = (rule, value, callback) => {
if (value.length < 6) {
callback(new Error('The password can not be less than 6 digits'));
} else {
} else if (value.length > 72) {
callback(new Error('The password can not be greater than 72 digits'));
}else {
callback();
}
};
Expand Down

0 comments on commit 8215c2a

Please sign in to comment.