diff --git a/modules/base/tool.go b/modules/base/tool.go index a21fd9b0f..522fd3d0f 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -10,6 +10,7 @@ import ( "crypto/sha256" "encoding/base64" "encoding/hex" + "errors" "fmt" "net/http" "net/url" @@ -65,6 +66,11 @@ func BasicAuthDecode(encoded string) (string, string, error) { } auth := strings.SplitN(string(s), ":", 2) + + if len(auth) != 2 { + return "", "", errors.New("invalid basic authentication") + } + return auth[0], auth[1], nil } diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index f765fd0db..d2187facd 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -46,6 +46,12 @@ func TestBasicAuthDecode(t *testing.T) { assert.NoError(t, err) assert.Equal(t, "foo", user) assert.Equal(t, "bar", pass) + + _, _, err = BasicAuthDecode("aW52YWxpZA==") + assert.Error(t, err) + + _, _, err = BasicAuthDecode("invalid") + assert.Error(t, err) } func TestBasicAuthEncode(t *testing.T) {