fix #1167 Verify password length to prevent denial of service attack … (#1188)

* fix #1167 Verify password length to prevent denial of service attack caused by too long password * Add unit tests
2 years ago · 8215c2a981
parent 3b80c28e2d
commit 8215c2a981
3 changed files with 40 additions and 4 deletions
--- a/hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java
+++ b/hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java
@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {
    private static final int MINI_PASSWORD_LENGTH = 6;
    private static final int MAX_PASSWORD_LENGTH = 72;
    private final UserMapper userMapper;
    private final BCryptPasswordEncoder bCryptPasswordEncoder;
@ -74,6 +76,7 @@ public class UserServiceImpl implements UserService {
        if (existUserInfo != null) {
            throw new RuntimeException("用户名重复");
        }
        this.checkPasswordLength(requestParam.getPassword());
        requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
        UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
        userMapper.insert(insertUser);
@ -84,9 +87,7 @@ public class UserServiceImpl implements UserService {
    @Transactional(rollbackFor = Exception.class)
    public void updateUser(UserReqDTO requestParam) {
        if (StringUtil.isNotBlank(requestParam.getPassword())) {
-            if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) {
+            this.checkPasswordLength(requestParam.getPassword());
                throw new RuntimeException("密码最少为6个字符");
            }
            requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
        }
        UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
@ -129,4 +130,17 @@ public class UserServiceImpl implements UserService {
        result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
        return result;
    }
    protected void checkPasswordLength(String password) {
        if (StringUtil.isBlank(password)) {
            throw new RuntimeException("密码不可为空");
        }
        if (password.length() < MINI_PASSWORD_LENGTH) {
            throw new RuntimeException("密码最少为6个字符");
        }
        if (password.length() > MAX_PASSWORD_LENGTH) {
            throw new RuntimeException("密码最多为72个字符");
        }
    }
 }
--- a/hippo4j-server/hippo4j-auth/src/test/java/cn/hippo4j/auth/service/impl/UserServiceImplTest.java
+++ b/hippo4j-server/hippo4j-auth/src/test/java/cn/hippo4j/auth/service/impl/UserServiceImplTest.java
@ -0,0 +1,20 @@
 package cn.hippo4j.auth.service.impl;
 import org.junit.Assert;
 import org.junit.jupiter.api.Test;
 class UserServiceImplTest {
    @Test
    void checkPasswordLength() {
        //密码为null、空串、过短、过长都会抛出异常
        UserServiceImpl userService = new UserServiceImpl(null, null, null);
        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(null));
        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(""));
        String shortPassword = "12345";
        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(shortPassword));
        String LongPassword = "fjhdjfghdsgahfgajdhsgafghdsbvhbervjdsvhdsbhfbhsdbhfbhsdbavbsbdhjfbhjsdbhfbsdbf";
        Assert.assertThrows(RuntimeException.class, () -> userService.checkPasswordLength(LongPassword));
    }
 }
--- a/hippo4j-ui/src/views/login/index.vue
+++ b/hippo4j-ui/src/views/login/index.vue
@ -88,7 +88,9 @@ export default {
    const validatePassword = (rule, value, callback) => {
      if (value.length < 6) {
        callback(new Error('The password can not be less than 6 digits'));
-      } else {
+      } else if (value.length > 72) {
        callback(new Error('The password can not be greater than 72 digits'));
      }else {
        callback();
      }
    };