Ensure complexity, minlength and ispwned are checked on password setting (#18005)

It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.

Fix #17977

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

diff --git a/cmd/admin.go b/cmd/admin.go
index 65a0bfb7bf37fe1a9af23820d083e0c3e05bc33d..099803fbf52bbefb72917bdae39eb039efe79022 100644 (file)
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -379,6 +379,10 @@ func runChangePassword(c *cli.Context) error {
        if err := initDB(ctx); err != nil {
                return err
        }
+       if len(c.String("password")) < setting.MinPasswordLength {
+               return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
+       }
+
        if !pwd.IsComplexEnough(c.String("password")) {
                return errors.New("Password does not meet complexity requirements")
        }

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 44358b4bef1d7d2e747c603e76298463f81f5488..5d2bbdea2f415806376efe652742824d053c1fd4 100644 (file)
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -20,6 +20,7 @@ import (
        "code.gitea.io/gitea/modules/convert"
        "code.gitea.io/gitea/modules/log"
        "code.gitea.io/gitea/modules/password"
+       "code.gitea.io/gitea/modules/setting"
        api "code.gitea.io/gitea/modules/structs"
        "code.gitea.io/gitea/modules/web"
        "code.gitea.io/gitea/routers/api/v1/user"
@@ -173,6 +174,10 @@ func EditUser(ctx *context.APIContext) {
        }
 
        if len(form.Password) != 0 {
+               if len(form.Password) < setting.MinPasswordLength {
+                       ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength))
+                       return
+               }
                if !password.IsComplexEnough(form.Password) {
                        err := errors.New("PasswordComplexity")
                        ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)

diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
index 178852d3fbd9574f14069e1a57c49095876d6716..0f1ede85a73a02903e7b2bbfd5118b8d320519ed 100644 (file)
--- a/routers/web/user/auth.go
+++ b/routers/web/user/auth.go
@@ -1873,8 +1873,23 @@ func MustChangePasswordPost(ctx *context.Context) {
                ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
                return
        }
+       if !password.IsComplexEnough(form.Password) {
+               ctx.Data["Err_Password"] = true
+               ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
+               return
+       }
+       pwned, err := password.IsPwned(ctx, form.Password)
+       if pwned {
+               ctx.Data["Err_Password"] = true
+               errMsg := ctx.Tr("auth.password_pwned")
+               if err != nil {
+                       log.Error(err.Error())
+                       errMsg = ctx.Tr("auth.password_pwned_err")
+               }
+               ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
+               return
+       }
 
-       var err error
        if err = u.SetPassword(form.Password); err != nil {
                ctx.ServerError("UpdateUser", err)
                return