Only check access tokens if they are likely to be tokens (#16164)

* Only check access tokens if they are likely to be tokens Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <art27@cantab.net>
author: zeripath <art27@cantab.net> 2021-06-15 23:29:25 +0100
committer: GitHub <noreply@github.com> 2021-06-16 00:29:25 +0200
commit: b8e4ce754ea8a80b475f498fc7f8ca166815ad91 (patch)
tree: 2878484b2a57802b35de98ee9312cca73e0b8b09 /models/token.go
parent: 3d991319df49d0af8903ae654b9b69623c6abfff (diff)
download: gitea-b8e4ce754ea8a80b475f498fc7f8ca166815ad91.tar.gz
gitea-b8e4ce754ea8a80b475f498fc7f8ca166815ad91.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/models/token.go b/models/token.go
index 4737dddda3..357afe44a7 100644
--- a/models/token.go
+++ b/models/token.go
@@ -57,9 +57,15 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
 	if token == "" {
 		return nil, ErrAccessTokenEmpty{}
 	}
-	if len(token) < 8 {
+	// A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
+	if len(token) != 40 {
 		return nil, ErrAccessTokenNotExist{token}
 	}
+	for _, x := range []byte(token) {
+		if x < '0' || (x > '9' && x < 'a') || x > 'f' {
+			return nil, ErrAccessTokenNotExist{token}
+		}
+	}
 	var tokens []AccessToken
 	lastEight := token[len(token)-8:]
 	err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)
author	zeripath <art27@cantab.net>	2021-06-15 23:29:25 +0100
committer	GitHub <noreply@github.com>	2021-06-16 00:29:25 +0200
commit	b8e4ce754ea8a80b475f498fc7f8ca166815ad91 (patch)
tree	2878484b2a57802b35de98ee9312cca73e0b8b09 /models/token.go
parent	3d991319df49d0af8903ae654b9b69623c6abfff (diff)
download	gitea-b8e4ce754ea8a80b475f498fc7f8ca166815ad91.tar.gz gitea-b8e4ce754ea8a80b475f498fc7f8ca166815ad91.zip