From 2051f850ef8380420b3b465eea3a92eefe185650 Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 17 Dec 2021 21:24:59 +0000 Subject: [PATCH] Ensure complexity, minlength and ispwned are checked on password setting (#18005) (#18015) Backport #18005 It appears that there are several places that password length, complexity and ispwned are not currently been checked when changing passwords. This PR adds these. Fix #17977 Signed-off-by: Andrew Thornton --- cmd/admin.go | 4 ++++ routers/api/v1/admin/user.go | 5 +++++ routers/web/user/auth.go | 17 ++++++++++++++++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/cmd/admin.go b/cmd/admin.go index f58a1f996..674c5792c 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -335,6 +335,10 @@ func runChangePassword(c *cli.Context) error { if err := initDB(); err != nil { return err } + if len(c.String("password")) < setting.MinPasswordLength { + return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength) + } + if !pwd.IsComplexEnough(c.String("password")) { return errors.New("Password does not meet complexity requirements") } diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 67667f44d..86ec548a8 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/modules/convert" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/password" + "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/routers/api/v1/user" @@ -167,6 +168,10 @@ func EditUser(ctx *context.APIContext) { } if len(form.Password) != 0 { + if len(form.Password) < setting.MinPasswordLength { + ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength)) + return + } if !password.IsComplexEnough(form.Password) { err := errors.New("PasswordComplexity") ctx.Error(http.StatusBadRequest, "PasswordComplexity", err) diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 65986a19e..4ae00cc83 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -1748,8 +1748,23 @@ func MustChangePasswordPost(ctx *context.Context) { ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form) return } + if !password.IsComplexEnough(form.Password) { + ctx.Data["Err_Password"] = true + ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form) + return + } + pwned, err := password.IsPwned(ctx, form.Password) + if pwned { + ctx.Data["Err_Password"] = true + errMsg := ctx.Tr("auth.password_pwned") + if err != nil { + log.Error(err.Error()) + errMsg = ctx.Tr("auth.password_pwned_err") + } + ctx.RenderWithErr(errMsg, tplMustChangePassword, &form) + return + } - var err error if err = u.SetPassword(form.Password); err != nil { ctx.ServerError("UpdateUser", err) return