diff options
| author | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:22 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:22 +0000 |
| commit | 3fcef40ce7d5dcdaeca637ebca6d21e9cf4667ab (patch) | |
| tree | 4da59f82d9bbc935eb2c08933cfa3e757da03d87 | |
| parent | 921712c8522d074afc8ba52d247f5165b5c26ec9 (diff) | |
| parent | 94f3dcb1879b375810dbcaa513cc9f24564684d1 (diff) | |
| download | gitlab-shell-13-14-stable.tar.gz | |
Merge branch 'security-limit-fscanl-13-7' into '13-14-stable'v13.14.113-14-stable
Read limited input for yes answer
See merge request gitlab-org/security/gitlab-shell!4
| -rw-r--r-- | CHANGELOG | 4 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | internal/command/twofactorrecover/twofactorrecover.go | 5 | ||||
| -rw-r--r-- | internal/command/twofactorrecover/twofactorrecover_test.go | 8 |
4 files changed, 17 insertions, 2 deletions
@@ -1,3 +1,7 @@ +v13.14.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.14.0 - Add 2fa_verify command !440 @@ -1 +1 @@ -13.14.0 +13.14.1 diff --git a/internal/command/twofactorrecover/twofactorrecover.go b/internal/command/twofactorrecover/twofactorrecover.go index f0a9e7b..f5a700a 100644 --- a/internal/command/twofactorrecover/twofactorrecover.go +++ b/internal/command/twofactorrecover/twofactorrecover.go @@ -3,6 +3,7 @@ package twofactorrecover import ( "context" "fmt" + "io" "strings" "gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs" @@ -11,6 +12,8 @@ import ( "gitlab.com/gitlab-org/gitlab-shell/internal/gitlabnet/twofactorrecover" ) +const readerLimit = 1024 + type Command struct { Config *config.Config Args *commandargs.Shell @@ -34,7 +37,7 @@ func (c *Command) canContinue() bool { fmt.Fprintln(c.ReadWriter.Out, question) var answer string - fmt.Fscanln(c.ReadWriter.In, &answer) + fmt.Fscanln(io.LimitReader(c.ReadWriter.In, readerLimit), &answer) return answer == "yes" } diff --git a/internal/command/twofactorrecover/twofactorrecover_test.go b/internal/command/twofactorrecover/twofactorrecover_test.go index 92e3779..3272061 100644 --- a/internal/command/twofactorrecover/twofactorrecover_test.go +++ b/internal/command/twofactorrecover/twofactorrecover_test.go @@ -6,6 +6,7 @@ import ( "encoding/json" "io/ioutil" "net/http" + "strings" "testing" "github.com/stretchr/testify/require" @@ -114,6 +115,13 @@ func TestExecute(t *testing.T) { expectedOutput: question + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", }, + { + desc: "With some other answer", + arguments: &commandargs.Shell{}, + answer: strings.Repeat("yes, but not really\n", 2048), + expectedOutput: question + + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", + }, } for _, tc := range testCases { |