lavender-legacy/gitea
7
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Only check access tokens if they are likely to be tokens (#16164)

Browse source 
* Only check access tokens if they are likely to be tokens

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-06-15 23:29:25 +01:00 committed by GitHub
parent 3d991319df
commit b8e4ce754e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
models/token.go
View file

@ -57,9 +57,15 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
if token == "" { if token == "" {
return nil, ErrAccessTokenEmpty{} return nil, ErrAccessTokenEmpty{}
} }
if len(token) < 8 { // A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
if len(token) != 40 {
return nil, ErrAccessTokenNotExist{token} return nil, ErrAccessTokenNotExist{token}
} }
for _, x := range []byte(token) {
if x < '0' || (x > '9' && x < 'a') || x > 'f' {
return nil, ErrAccessTokenNotExist{token}
}
}
var tokens []AccessToken var tokens []AccessToken
lastEight := token[len(token)-8:] lastEight := token[len(token)-8:]
err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens) err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)