From 30098527b5b6d54a4799da713c02bd6cf9d3abc6 Mon Sep 17 00:00:00 2001 From: Paulo Gustavo Veiga Date: Sun, 2 Jul 2023 10:13:42 -0700 Subject: [PATCH] Enforce password size limit --- .../exceptions/PasswordTooLongException.java | 37 ++++++++++ .../main/java/com/wisemapping/model/User.java | 70 ++++++++++--------- .../wisemapping/rest/AccountController.java | 7 +- .../com/wisemapping/rest/UserController.java | 6 ++ .../src/main/resources/messages_de.properties | 3 +- .../src/main/resources/messages_en.properties | 3 +- .../src/main/resources/messages_es.properties | 3 +- .../src/main/resources/messages_fr.properties | 3 +- .../src/main/resources/messages_ru.properties | 3 +- .../src/main/resources/messages_zh.properties | 3 +- 10 files changed, 97 insertions(+), 41 deletions(-) create mode 100755 wise-webapp/src/main/java/com/wisemapping/exceptions/PasswordTooLongException.java diff --git a/wise-webapp/src/main/java/com/wisemapping/exceptions/PasswordTooLongException.java b/wise-webapp/src/main/java/com/wisemapping/exceptions/PasswordTooLongException.java new file mode 100755 index 00000000..6409ee29 --- /dev/null +++ b/wise-webapp/src/main/java/com/wisemapping/exceptions/PasswordTooLongException.java @@ -0,0 +1,37 @@ +/* + * Copyright [2022] [wisemapping] + * + * Licensed under WiseMapping Public License, Version 1.0 (the "License"). + * It is basically the Apache License, Version 2.0 (the "License") plus the + * "powered by wisemapping" text requirement on every single page; + * you may not use this file except in compliance with the License. + * You may obtain a copy of the license at + * + * http://www.wisemapping.org/license + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.wisemapping.exceptions; + + +import javax.validation.constraints.NotNull; + +public class PasswordTooLongException + extends ClientException { + private static final String PASSWORD_TOO_LONG = "PASSWORD_TOO_LONG"; + + public PasswordTooLongException() { + super("Password length must be less than 40 characters", Severity.WARNING); + } + + @NotNull + @Override + protected String getMsgBundleKey() { + return PASSWORD_TOO_LONG; + } +} diff --git a/wise-webapp/src/main/java/com/wisemapping/model/User.java b/wise-webapp/src/main/java/com/wisemapping/model/User.java index 4040e4f2..615c6775 100644 --- a/wise-webapp/src/main/java/com/wisemapping/model/User.java +++ b/wise-webapp/src/main/java/com/wisemapping/model/User.java @@ -32,34 +32,36 @@ public class User extends Collaborator implements Serializable { + public static final int MAX_PASSWORD_LENGTH_SIZE = 40; + private String firstname; private String lastname; private String password; private String locale; - + @Column(name = "activation_code") private long activationCode; - + @Column(name = "activation_date") private Calendar activationDate; - + @Column(name = "allow_send_email") private boolean allowSendEmail = false; - + @Column(name = "authentication_type") private Character authenticationTypeCode = AuthenticationType.DATABASE.getCode(); - + @Column(name = "authenticator_uri") private String authenticatorUri; - + @Column(name = "google_sync") - private Boolean googleSync; + private Boolean googleSync; @Column(name = "sync_code") - private String syncCode; + private String syncCode; @Column(name = "google_token") - private String googleToken; + private String googleToken; public User() { } @@ -88,7 +90,7 @@ public class User return password; } - public void setPassword(String password) { + public void setPassword(@javax.validation.constraints.NotNull String password) { this.password = password; } @@ -158,34 +160,34 @@ public class User } public void setAuthenticationTypeCode(Character authenticationTypeCode) { - this.authenticationTypeCode = authenticationTypeCode; - } + this.authenticationTypeCode = authenticationTypeCode; + } - public Boolean getGoogleSync() { - return googleSync; - } + public Boolean getGoogleSync() { + return googleSync; + } - public void setGoogleSync(Boolean googleSync) { - this.googleSync = googleSync; - } - - public String getSyncCode() { - return syncCode; - } - - public void setSyncCode(String syncCode) { - this.syncCode = syncCode; - } + public void setGoogleSync(Boolean googleSync) { + this.googleSync = googleSync; + } - public String getGoogleToken() { - return googleToken; - } + public String getSyncCode() { + return syncCode; + } - public void setGoogleToken(String googleToken) { - this.googleToken = googleToken; - } - - @Override + public void setSyncCode(String syncCode) { + this.syncCode = syncCode; + } + + public String getGoogleToken() { + return googleToken; + } + + public void setGoogleToken(String googleToken) { + this.googleToken = googleToken; + } + + @Override public String toString() { return "User{" + "firstname='" + firstname + '\'' + diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java b/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java index bccece0d..e7ef928a 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/AccountController.java @@ -18,6 +18,7 @@ package com.wisemapping.rest; +import com.wisemapping.exceptions.PasswordTooLongException; import com.wisemapping.exceptions.WiseMappingException; import com.wisemapping.model.Collaboration; import com.wisemapping.model.Label; @@ -55,11 +56,15 @@ public class AccountController extends BaseController { @RequestMapping(method = RequestMethod.PUT, value = "account/password", consumes = {"text/plain"}) @ResponseStatus(value = HttpStatus.NO_CONTENT) - public void changePassword(@RequestBody String password) { + public void changePassword(@RequestBody String password) throws PasswordTooLongException { if (password == null) { throw new IllegalArgumentException("Password can not be null"); } + if (password.length() > User.MAX_PASSWORD_LENGTH_SIZE) { + throw new PasswordTooLongException(); + } + final User user = Utils.getUser(true); user.setPassword(password); userService.changePassword(user); diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java b/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java index 234c6b09..e2ee2ec2 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/UserController.java @@ -19,6 +19,7 @@ package com.wisemapping.rest; import com.wisemapping.exceptions.EmailNotExistsException; +import com.wisemapping.exceptions.PasswordTooLongException; import com.wisemapping.exceptions.WiseMappingException; import com.wisemapping.model.AuthenticationType; import com.wisemapping.model.User; @@ -48,6 +49,7 @@ import java.util.List; @Controller @CrossOrigin public class UserController extends BaseController { + @Qualifier("userService") @Autowired private UserService userService; @@ -74,6 +76,10 @@ public class UserController extends BaseController { @NotNull HttpServletResponse response) throws WiseMappingException, BindException { logger.debug("Register new user:" + registration.getEmail()); + if (registration.getPassword().length() > User.MAX_PASSWORD_LENGTH_SIZE) { + throw new PasswordTooLongException(); + } + // If tomcat is behind a reverse proxy, ip needs to be found in other header. String remoteIp = request.getHeader(REAL_IP_ADDRESS_HEADER); if (remoteIp == null || remoteIp.isEmpty()) { diff --git a/wise-webapp/src/main/resources/messages_de.properties b/wise-webapp/src/main/resources/messages_de.properties index 6a5e24ae..5f361ffc 100644 --- a/wise-webapp/src/main/resources/messages_de.properties +++ b/wise-webapp/src/main/resources/messages_de.properties @@ -69,4 +69,5 @@ EMAIL.GREETINGS=Hallo OWNER_ROLE_CAN_NOT_BE_CHANGED=Die Rolle des Besitzers kann nicht geöndert werden. Bitte entferne den Besitzer aus der önderungsliste. ZOOM_TO_FIT=Einpassen ZOOM_OUT=Verkleinern -ZOOM_IN=Vergrööern \ No newline at end of file +ZOOM_IN=Vergrööern +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file diff --git a/wise-webapp/src/main/resources/messages_en.properties b/wise-webapp/src/main/resources/messages_en.properties index cef83f55..ec30a85d 100644 --- a/wise-webapp/src/main/resources/messages_en.properties +++ b/wise-webapp/src/main/resources/messages_en.properties @@ -71,4 +71,5 @@ TOO_MANY_INACTIVE_ACCOUNTS=You have shared your mindmaps to more than 20 user th OWNER_ROLE_CAN_NOT_BE_CHANGED=Owner role can not be change. Please, remove owner from the change list. ZOOM_TO_FIT=Zoom to fit ZOOM_OUT=Zoom out -ZOOM_IN=Zoom in \ No newline at end of file +ZOOM_IN=Zoom in +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file diff --git a/wise-webapp/src/main/resources/messages_es.properties b/wise-webapp/src/main/resources/messages_es.properties index d95e5ecb..9a8b0e10 100644 --- a/wise-webapp/src/main/resources/messages_es.properties +++ b/wise-webapp/src/main/resources/messages_es.properties @@ -69,4 +69,5 @@ EMAIL.GREETINGS=Hola OWNER_ROLE_CAN_NOT_BE_CHANGED=Owner role can not be change. Please, remove owner from the change list. ZOOM_TO_FIT=Centrar ZOOM_OUT=Alejar -ZOOM_IN=Acercar \ No newline at end of file +ZOOM_IN=Acercar +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file diff --git a/wise-webapp/src/main/resources/messages_fr.properties b/wise-webapp/src/main/resources/messages_fr.properties index c09a3111..8c9cfbc6 100644 --- a/wise-webapp/src/main/resources/messages_fr.properties +++ b/wise-webapp/src/main/resources/messages_fr.properties @@ -69,4 +69,5 @@ EMAIL.GREETINGS=Salut OWNER_ROLE_CAN_NOT_BE_CHANGED=Le rôle du propriétaire ne peut pas être modifié. Veuillez supprimer le propriétaire de la liste des modifications. ZOOM_TO_FIT=Zoomer pour s'adapter ZOOM_OUT=Dézoomer -ZOOM_IN=Agrandir \ No newline at end of file +ZOOM_IN=Agrandir +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file diff --git a/wise-webapp/src/main/resources/messages_ru.properties b/wise-webapp/src/main/resources/messages_ru.properties index 127133fe..622c7fbf 100644 --- a/wise-webapp/src/main/resources/messages_ru.properties +++ b/wise-webapp/src/main/resources/messages_ru.properties @@ -63,4 +63,5 @@ EMAIL.GREETINGS=Hi OWNER_ROLE_CAN_NOT_BE_CHANGED=Роль владельца изменить нельзя. Пожалуйста, удалите владельца из списка изменений. ZOOM_TO_FIT=Увеличить, чтобы соответствовать ZOOM_OUT=Уменьшить -ZOOM_IN=Приблизить \ No newline at end of file +ZOOM_IN=Приблизить +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file diff --git a/wise-webapp/src/main/resources/messages_zh.properties b/wise-webapp/src/main/resources/messages_zh.properties index 6d63cc7d..d935b4ff 100644 --- a/wise-webapp/src/main/resources/messages_zh.properties +++ b/wise-webapp/src/main/resources/messages_zh.properties @@ -69,4 +69,5 @@ EMAIL.GREETINGS=你好 OWNER_ROLE_CAN_NOT_BE_CHANGED=所有者角色无法更改。请从更改列表中删除所有者。 ZOOM_TO_FIT=缩放以适合 ZOOM_OUT=缩小 -ZOOM_IN=放大 \ No newline at end of file +ZOOM_IN=放大 +PASSWORD_TOO_LONG=Password must be less than 40 characters. \ No newline at end of file