Only check access tokens if they are likely to be tokens (#16164)

* Only check access tokens if they are likely to be tokens

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/models/token.go b/models/token.go
index 4737dddda3431883b06884be05a704c567e103a1..357afe44a7c0b456d233d1ad557051b16d6d8e12 100644 (file)
--- a/models/token.go
+++ b/models/token.go
@@ -57,9 +57,15 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
        if token == "" {
                return nil, ErrAccessTokenEmpty{}
        }
-       if len(token) < 8 {
+       // A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
+       if len(token) != 40 {
                return nil, ErrAccessTokenNotExist{token}
        }
+       for _, x := range []byte(token) {
+               if x < '0' || (x > '9' && x < 'a') || x > 'f' {
+                       return nil, ErrAccessTokenNotExist{token}
+               }
+       }
        var tokens []AccessToken
        lastEight := token[len(token)-8:]
        err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)