From efbbdb79df9cc099ab0c9944901ca2bd87b3611f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 22 Mar 2022 10:51:54 +0100
Subject: [PATCH] Limit the length of app password names

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Controller/AuthSettingsController.php |  8 +++++
 .../Authentication/Token/IProvider.php        |  2 +-
 lib/private/Authentication/Token/Manager.php  |  6 +++-
 .../Token/PublicKeyTokenProvider.php          |  4 +++
 .../lib/Authentication/Token/ManagerTest.php  | 31 +++++++++++++++++++
 5 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 566c03536ab..241cecd7113 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -146,6 +146,10 @@ class AuthSettingsController extends Controller {
 			return $this->getServiceNotAvailableResponse();
 		}
 
+		if (mb_strlen($name) > 128) {
+			$name = mb_substr($name, 0, 120) . 'â¦';
+		}
+
 		$token = $this->generateRandomDeviceToken();
 		$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
 		$tokenData = $deviceToken->jsonSerialize();
@@ -242,6 +246,10 @@ class AuthSettingsController extends Controller {
 			$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
 		}
 
+		if (mb_strlen($name) > 128) {
+			$name = mb_substr($name, 0, 120) . 'â¦';
+		}
+
 		if ($token instanceof INamedToken && $name !== $currentName) {
 			$token->setName($name);
 			$this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
index 2b6223fded9..8cdca96f3cc 100644
--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -45,7 +45,7 @@ interface IProvider {
 	 * @param string $uid
 	 * @param string $loginName
 	 * @param string|null $password
-	 * @param string $name
+	 * @param string $name Name will be trimmed to 120 chars when longer
 	 * @param int $type token type
 	 * @param int $remember whether the session token should be used for remember-me
 	 * @return IToken
diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
index 073569de0cf..f8cf612ac2b 100644
--- a/lib/private/Authentication/Token/Manager.php
+++ b/lib/private/Authentication/Token/Manager.php
@@ -54,7 +54,7 @@ class Manager implements IProvider {
 	 * @param string $uid
 	 * @param string $loginName
 	 * @param string|null $password
-	 * @param string $name
+	 * @param string $name Name will be trimmed to 120 chars when longer
 	 * @param int $type token type
 	 * @param int $remember whether the session token should be used for remember-me
 	 * @return IToken
@@ -66,6 +66,10 @@ class Manager implements IProvider {
 								  string $name,
 								  int $type = IToken::TEMPORARY_TOKEN,
 								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
+		if (mb_strlen($name) > 128) {
+			$name = mb_substr($name, 0, 120) . 'â¦';
+		}
+
 		try {
 			return $this->publicKeyTokenProvider->generateToken(
 				$token,
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 4657a802767..fd9e8336cc2 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -85,6 +85,10 @@ class PublicKeyTokenProvider implements IProvider {
 								  string $name,
 								  int $type = IToken::TEMPORARY_TOKEN,
 								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
+		if (mb_strlen($name) > 128) {
+			throw new InvalidTokenException('The given name is too long');
+		}
+
 		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
 		$this->mapper->insert($dbToken);
 
diff --git a/tests/lib/Authentication/Token/ManagerTest.php b/tests/lib/Authentication/Token/ManagerTest.php
index fb92b3e5018..ee2b3cdc768 100644
--- a/tests/lib/Authentication/Token/ManagerTest.php
+++ b/tests/lib/Authentication/Token/ManagerTest.php
@@ -127,6 +127,37 @@ class ManagerTest extends TestCase {
 		$this->assertSame($token, $actual);
 	}
 
+	public function testGenerateTokenTooLongName() {
+		$token = $this->createMock(IToken::class);
+		$token->method('getName')
+			->willReturn(str_repeat('a', 120) . 'â¦');
+
+
+		$this->publicKeyTokenProvider->expects($this->once())
+			->method('generateToken')
+			->with(
+				'token',
+				'uid',
+				'loginName',
+				'password',
+				str_repeat('a', 120) . 'â¦',
+				IToken::TEMPORARY_TOKEN,
+				IToken::REMEMBER
+			)->willReturn($token);
+
+		$actual = $this->manager->generateToken(
+			'token',
+			'uid',
+			'loginName',
+			'password',
+			str_repeat('a', 200),
+			IToken::TEMPORARY_TOKEN,
+			IToken::REMEMBER
+		);
+
+		$this->assertSame(121, mb_strlen($actual->getName()));
+	}
+
 	public function tokenData(): array {
 		return [
 			[new DefaultToken()],
-- 
2.39.5