From 719b0ce61504ebf6ad18825c70444891161fada2 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Fri, 21 Jun 2024 05:32:46 +0000
Subject: [PATCH] Reject passwords that are the same as login, first name, last
 name, or email (#37279).

Patch by Go MAEDA (@maeda).


git-svn-id: https://svn.redmine.org/redmine/trunk@22888 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/user.rb     | 11 +++++++++++
 config/locales/en.yml  |  1 +
 test/unit/user_test.rb | 18 ++++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/app/models/user.rb b/app/models/user.rb
index 6e364c5c1..2fae4a7ca 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -117,6 +117,7 @@ class User < Principal
     validates_format_of :password, :with => v, :message => :"must_contain_#{k}", :allow_blank => true, :if => Proc.new {Setting.password_required_char_classes.include?(k)}
   end
   validate :validate_password_length
+  validate :validate_password_complexity
   validate do
     if password_confirmation && password != password_confirmation
       errors.add(:password, :confirmation)
@@ -901,6 +902,16 @@ class User < Principal
     end
   end
 
+  def validate_password_complexity
+    return if password.blank? && generate_password?
+    return if password.nil?
+
+    # TODO: Enhance to check for more common and simple passwords
+    # like 'password', '123456', 'qwerty', etc.
+    bad_passwords = [login, firstname, lastname, mail] + email_addresses.map(&:address)
+    errors.add(:password, :too_simple) if bad_passwords.any? {|p| password.casecmp?(p)}
+  end
+
   def instantiate_email_address
     email_address || build_email_address
   end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2361dac08..3be2686ec 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -114,6 +114,7 @@ en:
         blank: "cannot be blank"
         too_long: "is too long (maximum is %{count} characters)"
         too_short: "is too short (minimum is %{count} characters)"
+        too_simple: "is too simple"
         wrong_length: "is the wrong length (should be %{count} characters)"
         taken: "has already been taken"
         not_a_number: "is not a number"
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index be4e4791f..34c055c2b 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -558,6 +558,24 @@ class UserTest < ActiveSupport::TestCase
     end
   end
 
+  def test_validate_password_complexity
+    user = users(:users_002)
+    bad_passwords = [
+      user.login,
+      user.lastname,
+      user.firstname,
+      user.mail,
+      user.login.upcase
+    ]
+
+    bad_passwords.each do |p|
+      user.password = p
+      user.password_confirmation = p
+      assert_not user.save
+      assert user.errors.full_messages.include?('Password is too simple')
+    end
+  end
+
   def test_name_format
     assert_equal 'John S.', @jsmith.name(:firstname_lastinitial)
     assert_equal 'Smith, John', @jsmith.name(:lastname_comma_firstname)
-- 
2.39.5