diff options
Diffstat (limited to 'lib/security')
-rw-r--r-- | lib/security/ci_configuration/container_scanning_build_action.rb | 2 | ||||
-rw-r--r-- | lib/security/ci_configuration/sast_build_action.rb | 2 | ||||
-rw-r--r-- | lib/security/weak_passwords.rb | 12 |
3 files changed, 14 insertions, 2 deletions
diff --git a/lib/security/ci_configuration/container_scanning_build_action.rb b/lib/security/ci_configuration/container_scanning_build_action.rb index 82f9f7d0320..f04c221fc40 100644 --- a/lib/security/ci_configuration/container_scanning_build_action.rb +++ b/lib/security/ci_configuration/container_scanning_build_action.rb @@ -12,7 +12,7 @@ module Security def template return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled - 'Security/Container-Scanning.gitlab-ci.yml' + 'Jobs/Container-Scanning.gitlab-ci.yml' end def comment diff --git a/lib/security/ci_configuration/sast_build_action.rb b/lib/security/ci_configuration/sast_build_action.rb index 448d4fbeacb..2b1964f7c87 100644 --- a/lib/security/ci_configuration/sast_build_action.rb +++ b/lib/security/ci_configuration/sast_build_action.rb @@ -68,7 +68,7 @@ module Security end def auto_devops_stages - auto_devops_template = YAML.safe_load( Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps').content ) + auto_devops_template = YAML.safe_load(Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps').content) auto_devops_template['stages'] end diff --git a/lib/security/weak_passwords.rb b/lib/security/weak_passwords.rb index 42b02132933..0772ef42fea 100644 --- a/lib/security/weak_passwords.rb +++ b/lib/security/weak_passwords.rb @@ -9,6 +9,14 @@ module Security # random password. MINIMUM_SUBSTRING_SIZE = 4 + # Passwords of 64+ characters are more likely to randomly include a + # forbidden substring. + # + # This length was chosen somewhat arbitrarily, balancing security, + # usability, and skipping checks on `::User.random_password` which + # is 128 chars. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/105755 + PASSWORD_SUBSTRING_CHECK_MAX_LENGTH = 64 + class << self # Returns true when the password is on a list of weak passwords, # or contains predictable substrings derived from user attributes. @@ -72,7 +80,11 @@ module Security # Case-insensitively checks whether a password includes a dynamic # list of substrings. Substrings which are too short are not # predictable and may occur randomly, and therefore not checked. + # Similarly passwords which are long enough to inadvertently and + # randomly include a substring are not checked. def contains_predicatable_substring?(password, substrings) + return unless password.length < PASSWORD_SUBSTRING_CHECK_MAX_LENGTH + substrings = substrings.filter_map do |substring| substring.downcase if substring.length >= MINIMUM_SUBSTRING_SIZE end |