Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-31 00:09:06 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-31 00:09:06 +0000
commit: ae6b4f857f51765dac310e8075c2c3f88e51dcab (patch)
tree: 7e350d6d94d6b9cae89b3cf4c79e9a8b09880842 /app
parent: ae92150461ad4cffcf85a4dc6313bc403e596391 (diff)
download: gitlab-ce-ae6b4f857f51765dac310e8075c2c3f88e51dcab.tar.gz
1 files changed, 17 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index b3bdc2c1c42..bc02f0ba55e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -879,6 +879,23 @@ class User < ApplicationRecord
     reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
   end
 
+  # See https://gitlab.com/gitlab-org/security/gitlab/-/issues/638
+  DISALLOWED_PASSWORDS = %w[123qweQWE!@#000000000].freeze
+
+  # Overwrites valid_password? from Devise::Models::DatabaseAuthenticatable
+  # In constant-time, check both that the password isn't on a denylist AND
+  # that the password is the user's password
+  def valid_password?(password)
+    password_allowed = true
+    DISALLOWED_PASSWORDS.each do |disallowed_password|
+      password_allowed = false if Devise.secure_compare(password, disallowed_password)
+    end
+
+    original_result = super
+
+    password_allowed && original_result
+  end
+
   def remember_me!
     super if ::Gitlab::Database.read_write?
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-31 00:09:06 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-31 00:09:06 +0000
commit	ae6b4f857f51765dac310e8075c2c3f88e51dcab (patch)
tree	7e350d6d94d6b9cae89b3cf4c79e9a8b09880842 /app
parent	ae92150461ad4cffcf85a4dc6313bc403e596391 (diff)
download	gitlab-ce-ae6b4f857f51765dac310e8075c2c3f88e51dcab.tar.gz