fix #1167 Verify password length to prevent denial of service attack … (#1188)

* fix #1167 Verify password length to prevent denial of service attack caused by too long password

* Add unit tests
pull/923/merge
程序猿小石头 2 years ago committed by GitHub
parent 3b80c28e2d
commit 8215c2a981
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {
private static final int MINI_PASSWORD_LENGTH = 6; private static final int MINI_PASSWORD_LENGTH = 6;
private static final int MAX_PASSWORD_LENGTH = 72;
private final UserMapper userMapper; private final UserMapper userMapper;
private final BCryptPasswordEncoder bCryptPasswordEncoder; private final BCryptPasswordEncoder bCryptPasswordEncoder;
@ -74,6 +76,7 @@ public class UserServiceImpl implements UserService {
if (existUserInfo != null) { if (existUserInfo != null) {
throw new RuntimeException("用户名重复"); throw new RuntimeException("用户名重复");
} }
this.checkPasswordLength(requestParam.getPassword());
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword())); requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class); UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
userMapper.insert(insertUser); userMapper.insert(insertUser);
@ -84,9 +87,7 @@ public class UserServiceImpl implements UserService {
@Transactional(rollbackFor = Exception.class) @Transactional(rollbackFor = Exception.class)
public void updateUser(UserReqDTO requestParam) { public void updateUser(UserReqDTO requestParam) {
if (StringUtil.isNotBlank(requestParam.getPassword())) { if (StringUtil.isNotBlank(requestParam.getPassword())) {
if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) { this.checkPasswordLength(requestParam.getPassword());
throw new RuntimeException("密码最少为6个字符");
}
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword())); requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
} }
UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class); UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
@ -129,4 +130,17 @@ public class UserServiceImpl implements UserService {
result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList())); result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
return result; return result;
} }
protected void checkPasswordLength(String password) {
if (StringUtil.isBlank(password)) {
throw new RuntimeException("密码不可为空");
}
if (password.length() < MINI_PASSWORD_LENGTH) {
throw new RuntimeException("密码最少为6个字符");
}
if (password.length() > MAX_PASSWORD_LENGTH) {
throw new RuntimeException("密码最多为72个字符");
}
}
} }

@ -0,0 +1,20 @@
package cn.hippo4j.auth.service.impl;
import org.junit.Assert;
import org.junit.jupiter.api.Test;
class UserServiceImplTest {
@Test
void checkPasswordLength() {
//密码为null、空串、过短、过长都会抛出异常
UserServiceImpl userService = new UserServiceImpl(null, null, null);
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(null));
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(""));
String shortPassword = "12345";
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(shortPassword));
String LongPassword = "fjhdjfghdsgahfgajdhsgafghdsbvhbervjdsvhdsbhfbhsdbhfbhsdbavbsbdhjfbhjsdbhfbsdbf";
Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(LongPassword));
}
}

@ -88,6 +88,8 @@ export default {
const validatePassword = (rule, value, callback) => { const validatePassword = (rule, value, callback) => {
if (value.length < 6) { if (value.length < 6) {
callback(new Error('The password can not be less than 6 digits')); callback(new Error('The password can not be less than 6 digits'));
} else if (value.length > 72) {
callback(new Error('The password can not be greater than 72 digits'));
}else { }else {
callback(); callback();
} }

Loading…
Cancel
Save