fix #1167 Verify password length to prevent denial of service attack … (#1188)

* fix #1167 Verify password length to prevent denial of service attack caused by too long password

* Add unit tests

hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java

@@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {
 
     private static final int MINI_PASSWORD_LENGTH = 6;
 
+    private static final int MAX_PASSWORD_LENGTH = 72;
+
     private final UserMapper userMapper;
 
     private final BCryptPasswordEncoder bCryptPasswordEncoder;
@@ -74,6 +76,7 @@ public class UserServiceImpl implements UserService {
         if (existUserInfo != null) {
             throw new RuntimeException("用户名重复");
         }
+        this.checkPasswordLength(requestParam.getPassword());
         requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
         UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
         userMapper.insert(insertUser);
@@ -84,9 +87,7 @@ public class UserServiceImpl implements UserService {
     @Transactional(rollbackFor = Exception.class)
     public void updateUser(UserReqDTO requestParam) {
         if (StringUtil.isNotBlank(requestParam.getPassword())) {
-            if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) {
-                throw new RuntimeException("密码最少为6个字符");
-            }
+            this.checkPasswordLength(requestParam.getPassword());
             requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
         }
         UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
@@ -129,4 +130,17 @@ public class UserServiceImpl implements UserService {
         result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
         return result;
     }
+
+    protected void checkPasswordLength(String password) {
+        if (StringUtil.isBlank(password)) {
+            throw new RuntimeException("密码不可为空");
+        }
+        if (password.length() < MINI_PASSWORD_LENGTH) {
+            throw new RuntimeException("密码最少为6个字符");
+        }
+        if (password.length() > MAX_PASSWORD_LENGTH) {
+            throw new RuntimeException("密码最多为72个字符");
+        }
+    }
+
 }

hippo4j-server/hippo4j-auth/src/test/java/cn/hippo4j/auth/service/impl/UserServiceImplTest.java

@@ -0,0 +1,20 @@
+package cn.hippo4j.auth.service.impl;
+
+import org.junit.Assert;
+import org.junit.jupiter.api.Test;
+
+class UserServiceImplTest {
+
+    @Test
+    void checkPasswordLength() {
+        //密码为null、空串、过短、过长都会抛出异常
+        UserServiceImpl userService = new UserServiceImpl(null, null, null);
+        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(null));
+        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(""));
+        String shortPassword = "12345";
+        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(shortPassword));
+        String LongPassword = "fjhdjfghdsgahfgajdhsgafghdsbvhbervjdsvhdsbhfbhsdbhfbhsdbavbsbdhjfbhjsdbhfbsdbf";
+        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(LongPassword));
+    }
+
+}

hippo4j-ui/src/views/login/index.vue

@@ -88,7 +88,9 @@ export default {
     const validatePassword = (rule, value, callback) => {
       if (value.length < 6) {
         callback(new Error('The password can not be less than 6 digits'));
-      } else {
+      } else if (value.length > 72) {
+        callback(new Error('The password can not be greater than 72 digits'));
+      }else {
         callback();
       }
     };