Fix for KeyStore DoS vulnerability

https://github.com/ava-labs/gecko/issues/195
2020-06-02 22:47:02 +05:30 · 2020-06-02 22:47:02 +05:30 · 8e8dd7529b
parent 7671cab972
commit 8e8dd7529b
1 changed files with 11 additions and 3 deletions
--- a/api/keystore/service.go
+++ b/api/keystore/service.go
@ -148,9 +148,17 @@ func (ks *Keystore) CreateUser(_ *http.Request, args *CreateUserArgs, reply *Cre
 		return fmt.Errorf("user already exists: %s", args.Username)
 	}

-	if zxcvbn.PasswordStrength(args.Password, nil).Score < requiredPassScore {
-		return errWeakPassword
-	}
+	if len(args.Password) < 50 {
+		if zxcvbn.PasswordStrength(args.Password, nil).Score < requiredPassScore {
+			return errWeakPassword
+		}
+	} 
+
+	if len(args.Password) >= 50 {
+		if zxcvbn.PasswordStrength(args.Password[:50], nil).Score < requiredPassScore {
+			return errWeakPassword
+			}
+		}

 	usr := &User{}
 	if err := usr.Initialize(args.Password); err != nil {