diff options
author | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:18 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:18 +0000 |
commit | ce93aeae452661a0afbdadcba0377abc27646798 (patch) | |
tree | c2f89d0089864b01b8211a3cb3006cf7361d8da9 | |
parent | 69fc715f978a7335fcc326cf033624c37173d861 (diff) | |
parent | 205e0a87e9fc79ad2e46c92f58079f7fa356c151 (diff) | |
download | gitlab-shell-13-16-stable.tar.gz |
Merge branch 'security-limit-fscanl-13-9' into '13-16-stable'v13.16.113-16-stable
Read limited input for yes answer
See merge request gitlab-org/security/gitlab-shell!5
-rw-r--r-- | CHANGELOG | 4 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | internal/command/twofactorrecover/twofactorrecover.go | 5 | ||||
-rw-r--r-- | internal/command/twofactorrecover/twofactorrecover_test.go | 8 |
4 files changed, 17 insertions, 2 deletions
@@ -1,3 +1,7 @@ +v13.16.1 + +- Read limited input for yes answer + v13.16.0 - RFC: Simple built-in SSH server !394 @@ -1 +1 @@ -13.16.0 +13.16.1 diff --git a/internal/command/twofactorrecover/twofactorrecover.go b/internal/command/twofactorrecover/twofactorrecover.go index f0a9e7b..f5a700a 100644 --- a/internal/command/twofactorrecover/twofactorrecover.go +++ b/internal/command/twofactorrecover/twofactorrecover.go @@ -3,6 +3,7 @@ package twofactorrecover import ( "context" "fmt" + "io" "strings" "gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs" @@ -11,6 +12,8 @@ import ( "gitlab.com/gitlab-org/gitlab-shell/internal/gitlabnet/twofactorrecover" ) +const readerLimit = 1024 + type Command struct { Config *config.Config Args *commandargs.Shell @@ -34,7 +37,7 @@ func (c *Command) canContinue() bool { fmt.Fprintln(c.ReadWriter.Out, question) var answer string - fmt.Fscanln(c.ReadWriter.In, &answer) + fmt.Fscanln(io.LimitReader(c.ReadWriter.In, readerLimit), &answer) return answer == "yes" } diff --git a/internal/command/twofactorrecover/twofactorrecover_test.go b/internal/command/twofactorrecover/twofactorrecover_test.go index 92e3779..a53e055 100644 --- a/internal/command/twofactorrecover/twofactorrecover_test.go +++ b/internal/command/twofactorrecover/twofactorrecover_test.go @@ -6,6 +6,7 @@ import ( "encoding/json" "io/ioutil" "net/http" + "strings" "testing" "github.com/stretchr/testify/require" @@ -114,6 +115,13 @@ func TestExecute(t *testing.T) { expectedOutput: question + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", }, + { + desc: "With some other answer", + arguments: &commandargs.Shell{}, + answer: strings.Repeat("yes", 1024), + expectedOutput: question + + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", + }, } for _, tc := range testCases { |