diff options
author | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:08 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2021-02-05 17:09:08 +0000 |
commit | bf2ae08591a06d76730e99d6125ece8e85b73a53 (patch) | |
tree | b0763f75a5bfe2ebe1c284d2d7777b6689523fe5 | |
parent | 69fc715f978a7335fcc326cf033624c37173d861 (diff) | |
parent | 15043211087b6f35cc819e95746ce62325ce5ad1 (diff) | |
download | gitlab-shell-bf2ae08591a06d76730e99d6125ece8e85b73a53.tar.gz |
Merge branch 'security-limit-fscanl' into 'main'
Read limited input for yes answer
See merge request gitlab-org/security/gitlab-shell!1
-rw-r--r-- | CHANGELOG | 16 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | internal/command/twofactorrecover/twofactorrecover.go | 5 | ||||
-rw-r--r-- | internal/command/twofactorrecover/twofactorrecover_test.go | 8 |
4 files changed, 29 insertions, 2 deletions
@@ -1,17 +1,33 @@ +v13.16.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.16.0 - RFC: Simple built-in SSH server !394 - Remove the session duration information from the output of 2fa_verify command !445 +v13.15.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.15.0 - Update httpclient.go with TLS 1.2 as minimum version !435 +v13.14.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.14.0 - Add 2fa_verify command !440 - Propagate client identity to gitaly !436 +v13.13.1 + +- Read limited input when asking to generate new two-factor recovery codes + v13.13.0 - GitLab API Client support for client certificates !432 @@ -1 +1 @@ -13.16.0 +13.16.1 diff --git a/internal/command/twofactorrecover/twofactorrecover.go b/internal/command/twofactorrecover/twofactorrecover.go index f0a9e7b..f5a700a 100644 --- a/internal/command/twofactorrecover/twofactorrecover.go +++ b/internal/command/twofactorrecover/twofactorrecover.go @@ -3,6 +3,7 @@ package twofactorrecover import ( "context" "fmt" + "io" "strings" "gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs" @@ -11,6 +12,8 @@ import ( "gitlab.com/gitlab-org/gitlab-shell/internal/gitlabnet/twofactorrecover" ) +const readerLimit = 1024 + type Command struct { Config *config.Config Args *commandargs.Shell @@ -34,7 +37,7 @@ func (c *Command) canContinue() bool { fmt.Fprintln(c.ReadWriter.Out, question) var answer string - fmt.Fscanln(c.ReadWriter.In, &answer) + fmt.Fscanln(io.LimitReader(c.ReadWriter.In, readerLimit), &answer) return answer == "yes" } diff --git a/internal/command/twofactorrecover/twofactorrecover_test.go b/internal/command/twofactorrecover/twofactorrecover_test.go index 92e3779..a53e055 100644 --- a/internal/command/twofactorrecover/twofactorrecover_test.go +++ b/internal/command/twofactorrecover/twofactorrecover_test.go @@ -6,6 +6,7 @@ import ( "encoding/json" "io/ioutil" "net/http" + "strings" "testing" "github.com/stretchr/testify/require" @@ -114,6 +115,13 @@ func TestExecute(t *testing.T) { expectedOutput: question + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", }, + { + desc: "With some other answer", + arguments: &commandargs.Shell{}, + answer: strings.Repeat("yes", 1024), + expectedOutput: question + + "New recovery codes have *not* been generated. Existing codes will remain valid.\n", + }, } for _, tc := range testCases { |