fix #1167 Verify password length to prevent denial of service attack caused by too long password

2 years ago · f59bef0a0d
parent 292dd9ad59
commit f59bef0a0d
2 changed files with 20 additions and 4 deletions
--- a/hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java
+++ b/hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java
@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {

    private static final int MINI_PASSWORD_LENGTH = 6;

+    private static final int MAX_PASSWORD_LENGTH = 72;
+
    private final UserMapper userMapper;

    private final BCryptPasswordEncoder bCryptPasswordEncoder;
@ -74,6 +76,7 @@ public class UserServiceImpl implements UserService {
        if (existUserInfo != null) {
            throw new RuntimeException("用户名重复");
        }
+        this.checkPasswordLength(requestParam.getPassword());
        requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
        UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
        userMapper.insert(insertUser);
@ -84,9 +87,7 @@ public class UserServiceImpl implements UserService {
    @Transactional(rollbackFor = Exception.class)
    public void updateUser(UserReqDTO requestParam) {
        if (StringUtil.isNotBlank(requestParam.getPassword())) {
-            if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) {
-                throw new RuntimeException("密码最少为6个字符");
-            }
+            this.checkPasswordLength(requestParam.getPassword());
            requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
        }
        UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
@ -129,4 +130,17 @@ public class UserServiceImpl implements UserService {
        result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
        return result;
    }
+
+    private void checkPasswordLength(String password) {
+        if (StringUtil.isBlank(password)) {
+            return;
+        }
+        if (password.length() < MINI_PASSWORD_LENGTH) {
+            throw new RuntimeException("密码最少为6个字符");
+        }
+        if (password.length() > MAX_PASSWORD_LENGTH) {
+            throw new RuntimeException("密码最多为72个字符");
+        }
+    }
+
 }
--- a/hippo4j-ui/src/views/login/index.vue
+++ b/hippo4j-ui/src/views/login/index.vue
@ -88,7 +88,9 @@ export default {
    const validatePassword = (rule, value, callback) => {
      if (value.length < 6) {
        callback(new Error('The password can not be less than 6 digits'));
-      } else {
+      } else if (value.length > 72) {
+        callback(new Error('The password can not be greater than 72 digits'));
+      }else {
        callback();
      }
    };