msb-public
/
hippo4j
mirror of https://github.com/longtai-cn/hippo4j
1
0
Code Issues Projects Releases Wiki Activity

fix #1167 Verify password length to prevent denial of service attack caused by too long password

Browse Source
pull/1188/head
shikaibin 2 years ago
parent 292dd9ad59
commit f59bef0a0d
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File

20
hippo4j-server/hippo4j-auth/src/main/java/cn/hippo4j/auth/service/impl/UserServiceImpl.java
Unescape View File

@ -51,6 +51,8 @@ public class UserServiceImpl implements UserService {
private static final int MINI_PASSWORD_LENGTH = 6; private static final int MINI_PASSWORD_LENGTH = 6;
private static final int MAX_PASSWORD_LENGTH = 72;
private final UserMapper userMapper; private final UserMapper userMapper;
private final BCryptPasswordEncoder bCryptPasswordEncoder; private final BCryptPasswordEncoder bCryptPasswordEncoder;
@ -74,6 +76,7 @@ public class UserServiceImpl implements UserService {
if (existUserInfo != null) { if (existUserInfo != null) {
throw new RuntimeException("用户名重复"); throw new RuntimeException("用户名重复");
} }
this.checkPasswordLength(requestParam.getPassword());
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword())); requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class); UserInfo insertUser = BeanUtil.convert(requestParam, UserInfo.class);
userMapper.insert(insertUser); userMapper.insert(insertUser);
@ -84,9 +87,7 @@ public class UserServiceImpl implements UserService {
@Transactional(rollbackFor = Exception.class) @Transactional(rollbackFor = Exception.class)
public void updateUser(UserReqDTO requestParam) { public void updateUser(UserReqDTO requestParam) {
if (StringUtil.isNotBlank(requestParam.getPassword())) { if (StringUtil.isNotBlank(requestParam.getPassword())) {
if (requestParam.getPassword().length() < MINI_PASSWORD_LENGTH) { this.checkPasswordLength(requestParam.getPassword());
throw new RuntimeException("密码最少为6个字符");
}
requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword())); requestParam.setPassword(bCryptPasswordEncoder.encode(requestParam.getPassword()));
} }
UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class); UserInfo updateUser = BeanUtil.convert(requestParam, UserInfo.class);
@ -129,4 +130,17 @@ public class UserServiceImpl implements UserService {
result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList())); result.setTempResources(permissionRespList.stream().map(PermissionRespDTO::getResource).collect(Collectors.toList()));
return result; return result;
} }
private void checkPasswordLength(String password) {
if (StringUtil.isBlank(password)) {
return;
}
if (password.length() < MINI_PASSWORD_LENGTH) {
throw new RuntimeException("密码最少为6个字符");
}
if (password.length() > MAX_PASSWORD_LENGTH) {
throw new RuntimeException("密码最多为72个字符");
}
}
} }

4
hippo4j-ui/src/views/login/index.vue
Unescape View File

@ -88,7 +88,9 @@ export default {
const validatePassword = (rule, value, callback) => { const validatePassword = (rule, value, callback) => {
if (value.length < 6) { if (value.length < 6) {
callback(new Error('The password can not be less than 6 digits')); callback(new Error('The password can not be less than 6 digits'));
} else { } else if (value.length > 72) {
callback(new Error('The password can not be greater than 72 digits'));
}else {
callback(); callback();
} }
}; };

Write Preview
Loading…
Cancel
Save