SECURITY: Limit passwords to 200 characters

Prevents layer 8 attack.
2025-02-25 18:55:32 -06:00 · 2014-09-11 12:22:11 -07:00
parent 216ee9f2f1
commit 2c6d03f87f
8 changed files with 78 additions and 7 deletions
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@@ -186,6 +186,14 @@ describe SessionController do
        end
      end

+      describe 'invalid password' do
+        it "should return an error with an invalid password if too long" do
+          User.any_instance.expects(:confirm_password?).never
+          xhr :post, :create, login: user.username, password: ('s' * (User.max_password_length + 1))
+          ::JSON.parse(response.body)['error'].should be_present
+        end
+      end
+
      describe 'suspended user' do
        it 'should return an error' do
          User.any_instance.stubs(:suspended?).returns(true)
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -287,14 +287,28 @@ describe UsersController do
        EmailToken.expects(:confirm).with(token).returns(user)
      end

+      it "fails when the password is blank" do
+        put :password_reset, token: token, password: ''
+        assigns(:user).errors.should be_present
+        session[:current_user_id].should be_blank
+      end
+
+      it "fails when the password is too long" do
+        put :password_reset, token: token, password: ('x' * (User.max_password_length + 1))
+        assigns(:user).errors.should be_present
+        session[:current_user_id].should be_blank
+      end
+
      it "logs in the user" do
        put :password_reset, token: token, password: 'newpassword'
+        assigns(:user).errors.should be_blank
        session[:current_user_id].should be_present
      end

      it "doesn't log in the user when not approved" do
        SiteSetting.expects(:must_approve_users?).returns(true)
        put :password_reset, token: token, password: 'newpassword'
+        assigns(:user).errors.should be_blank
        session[:current_user_id].should be_blank
      end
    end
@@ -508,6 +522,11 @@ describe UsersController do
      include_examples 'failed signup'
    end

+    context 'when password is too long' do
+      let(:create_params) { {name: @user.name, username: @user.username, password: "x" * (User.max_password_length + 1), email: @user.email} }
+      include_examples 'failed signup'
+    end
+
    context 'when password param is missing' do
      let(:create_params) { {name: @user.name, username: @user.username, email: @user.email} }
      include_examples 'failed signup'
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1150,4 +1150,30 @@ describe User do
    end
  end

+  describe "hash_passwords" do
+
+    let(:too_long) { "x" * (User.max_password_length + 1) }
+
+    def hash(password, salt)
+      User.new.send(:hash_password, password, salt)
+    end
+
+    it "returns the same hash for the same password and salt" do
+      hash('poutine', 'gravy').should == hash('poutine', 'gravy')
+    end
+
+    it "returns a different hash for the same salt and different password" do
+      hash('poutine', 'gravy').should_not == hash('fries', 'gravy')
+    end
+
+    it "returns a different hash for the same password and different salt" do
+      hash('poutine', 'gravy').should_not == hash('poutine', 'cheese')
+    end
+
+    it "raises an error when passwords are too long" do
+      -> { hash(too_long, 'gravy') }.should raise_error
+    end
+
+  end
+
 end