fix: add password/secret length check to be <= 128 (#18916)

Signed-off-by: Shengwen Yu <yshengwen@vmware.com>

src/controller/robot/controller.go

@@ -416,5 +416,5 @@ var (
 )
 
 func IsValidSec(secret string) bool {
-	return len(secret) >= 8 && hasLower.MatchString(secret) && hasUpper.MatchString(secret) && hasNumber.MatchString(secret)
+	return len(secret) >= 8 && len(secret) <= 128 && hasLower.MatchString(secret) && hasUpper.MatchString(secret) && hasNumber.MatchString(secret)
 }

src/controller/robot/controller_test.go

@@ -301,6 +301,12 @@ func (suite *ControllerTestSuite) TestIsValidSec() {
 	suite.False(IsValidSec(sec))
 	sec = "123abc"
 	suite.False(IsValidSec(sec))
+	// secret of length 128 characters long should be ok
+	sec = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcd"
+	suite.True(IsValidSec(sec))
+	// secret of length larger than 128 characters long, such as 129 characters long, should return false
+	sec = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcde"
+	suite.False(IsValidSec(sec))
 }
 
 func (suite *ControllerTestSuite) TestCreateSec() {

src/server/v2.0/handler/robot.go

@@ -242,7 +242,7 @@ func (rAPI *robotAPI) RefreshSec(ctx context.Context, params operation.RefreshSe
 	robotSec := &models.RobotSec{}
 	if params.RobotSec.Secret != "" {
 		if !robot.IsValidSec(params.RobotSec.Secret) {
-			return rAPI.SendError(ctx, errors.New("the secret must longer than 8 chars with at least 1 uppercase letter, 1 lowercase letter and 1 number").WithCode(errors.BadRequestCode))
+			return rAPI.SendError(ctx, errors.New("the secret must be 8-128, inclusively, characters long with at least 1 uppercase letter, 1 lowercase letter and 1 number").WithCode(errors.BadRequestCode))
 		}
 		secret = utils.Encrypt(params.RobotSec.Secret, r.Salt, utils.SHA256)
 		robotSec.Secret = ""

src/server/v2.0/handler/user.go

@@ -456,10 +456,10 @@ func requireValidSecret(in string) error {
 	hasLower := regexp.MustCompile(`[a-z]`)
 	hasUpper := regexp.MustCompile(`[A-Z]`)
 	hasNumber := regexp.MustCompile(`[0-9]`)
-	if len(in) >= 8 && hasLower.MatchString(in) && hasUpper.MatchString(in) && hasNumber.MatchString(in) {
+	if len(in) >= 8 && len(in) <= 128 && hasLower.MatchString(in) && hasUpper.MatchString(in) && hasNumber.MatchString(in) {
 		return nil
 	}
-	return errors.BadRequestError(nil).WithMessage("the password or secret must be longer than 8 chars with at least 1 uppercase letter, 1 lowercase letter and 1 number")
+	return errors.BadRequestError(nil).WithMessage("the password or secret must be 8-128, inclusively, characters long with at least 1 uppercase letter, 1 lowercase letter and 1 number")
 }
 
 func getRandomSecret() (string, error) {

src/server/v2.0/handler/user_test.go

@@ -28,6 +28,10 @@ func TestRequireValidSecret(t *testing.T) {
 		{"Sh0rt", true},
 		{"Passw0rd", false},
 		{"Thisis1Valid_password", false},
+		// secret of length 128 characters long should be ok, no error returned
+		{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcd", false},
+		// secret of length larger than 128 characters long, such as 129 characters long, should return error
+		{"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcde", true},
 	}
 	for _, c := range cases {
 		e := requireValidSecret(c.in)
@@ -44,8 +48,8 @@ type UserTestSuite struct {
 
 func (uts *UserTestSuite) SetupSuite() {
 	uts.user = &commonmodels.User{
-		UserID:          1,
-		Username:        "admin",
+		UserID:   1,
+		Username: "admin",
 	}
 
 	uts.uCtl = &usertesting.Controller{}