Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/lib/security
diff options
context:
space:
mode:
Diffstat (limited to 'lib/security')
-rw-r--r--lib/security/ci_configuration/container_scanning_build_action.rb2
-rw-r--r--lib/security/ci_configuration/sast_build_action.rb2
-rw-r--r--lib/security/weak_passwords.rb12
3 files changed, 14 insertions, 2 deletions
diff --git a/lib/security/ci_configuration/container_scanning_build_action.rb b/lib/security/ci_configuration/container_scanning_build_action.rb
index 82f9f7d0320..f04c221fc40 100644
--- a/lib/security/ci_configuration/container_scanning_build_action.rb
+++ b/lib/security/ci_configuration/container_scanning_build_action.rb
@@ -12,7 +12,7 @@ module Security
def template
return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled
- 'Security/Container-Scanning.gitlab-ci.yml'
+ 'Jobs/Container-Scanning.gitlab-ci.yml'
end
def comment
diff --git a/lib/security/ci_configuration/sast_build_action.rb b/lib/security/ci_configuration/sast_build_action.rb
index 448d4fbeacb..2b1964f7c87 100644
--- a/lib/security/ci_configuration/sast_build_action.rb
+++ b/lib/security/ci_configuration/sast_build_action.rb
@@ -68,7 +68,7 @@ module Security
end
def auto_devops_stages
- auto_devops_template = YAML.safe_load( Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps').content )
+ auto_devops_template = YAML.safe_load(Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps').content)
auto_devops_template['stages']
end
diff --git a/lib/security/weak_passwords.rb b/lib/security/weak_passwords.rb
index 42b02132933..0772ef42fea 100644
--- a/lib/security/weak_passwords.rb
+++ b/lib/security/weak_passwords.rb
@@ -9,6 +9,14 @@ module Security
# random password.
MINIMUM_SUBSTRING_SIZE = 4
+ # Passwords of 64+ characters are more likely to randomly include a
+ # forbidden substring.
+ #
+ # This length was chosen somewhat arbitrarily, balancing security,
+ # usability, and skipping checks on `::User.random_password` which
+ # is 128 chars. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/105755
+ PASSWORD_SUBSTRING_CHECK_MAX_LENGTH = 64
+
class << self
# Returns true when the password is on a list of weak passwords,
# or contains predictable substrings derived from user attributes.
@@ -72,7 +80,11 @@ module Security
# Case-insensitively checks whether a password includes a dynamic
# list of substrings. Substrings which are too short are not
# predictable and may occur randomly, and therefore not checked.
+ # Similarly passwords which are long enough to inadvertently and
+ # randomly include a substring are not checked.
def contains_predicatable_substring?(password, substrings)
+ return unless password.length < PASSWORD_SUBSTRING_CHECK_MAX_LENGTH
+
substrings = substrings.filter_map do |substring|
substring.downcase if substring.length >= MINIMUM_SUBSTRING_SIZE
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-21 05:45:43 +0300