diff options
| author | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:18 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:18 +0000 |
| commit | b82018ac61b724a195ab06a79d3e5d9811b0a2e7 (patch) | |
| tree | 966c737584b30052dbf0cebdef4b2d6263b6c923 | |
| parent | 99d0bbe8ab3e9fa8368ac6efd24b2e961d2fe8e3 (diff) | |
| parent | f3e992fdc8e9d8a8e7f38a54eb1ec95174429b04 (diff) | |
| download | gitlab-shell-13-15-stable.tar.gz | |
Merge branch 'security-limit-fscanl-13-8' into '13-15-stable'v13.15.113-15-stable
Read limited input for yes answer
See merge request gitlab-org/security/gitlab-shell!3
| -rw-r--r-- | CHANGELOG | 4 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | internal/command/twofactorrecover/twofactorrecover.go | 5 | ||||
| -rw-r--r-- | internal/command/twofactorrecover/twofactorrecover_test.go | 8 |
4 files changed, 17 insertions, 2 deletions
@@ -1,3 +1,7 @@ +v13.15.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.15.0 - Update httpclient.go with TLS 1.2 as minimum version !435 @@ -1 +1 @@ -13.15.0 +13.15.1 diff --git a/internal/command/twofactorrecover/twofactorrecover.go b/internal/command/twofactorrecover/twofactorrecover.go index f0a9e7b..f5a700a 100644 --- a/internal/command/twofactorrecover/twofactorrecover.go +++ b/internal/command/twofactorrecover/twofactorrecover.go @@ -3,6 +3,7 @@ package twofactorrecover import ( "context" "fmt" + "io" "strings" "gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs" @@ -11,6 +12,8 @@ import ( "gitlab.com/gitlab-org/gitlab-shell/internal/gitlabnet/twofactorrecover" ) +const readerLimit = 1024 + type Command struct { Config *config.Config Args *commandargs.Shell @@ -34,7 +37,7 @@ func (c *Command) canContinue() bool { fmt.Fprintln(c.ReadWriter.Out, question) var answer string - fmt.Fscanln(c.ReadWriter.In, &answer) + fmt.Fscanln(io.LimitReader(c.ReadWriter.In, readerLimit), &answer) return answer == "yes" } diff --git a/internal/command/twofactorrecover/twofactorrecover_test.go b/internal/command/twofactorrecover/twofactorrecover_test.go index 92e3779..3272061 100644 --- a/internal/command/twofactorrecover/twofactorrecover_test.go +++ b/internal/command/twofactorrecover/twofactorrecover_test.go @@ -6,6 +6,7 @@ import ( "encoding/json" "io/ioutil" "net/http" + "strings" "testing" "github.com/stretchr/testify/require" @@ -114,6 +115,13 @@ func TestExecute(t *testing.T) { expectedOutput: question + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", }, + { + desc: "With some other answer", + arguments: &commandargs.Shell{}, + answer: strings.Repeat("yes, but not really\n", 2048), + expectedOutput: question + + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", + }, } for _, tc := range testCases { |