From ae6b4f857f51765dac310e8075c2c3f88e51dcab Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 31 Mar 2022 00:09:06 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

---
 app/models/user.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'app')

diff --git a/app/models/user.rb b/app/models/user.rb
index b3bdc2c1c42..bc02f0ba55e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -879,6 +879,23 @@ class User < ApplicationRecord
     reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
   end
 
+  # See https://gitlab.com/gitlab-org/security/gitlab/-/issues/638
+  DISALLOWED_PASSWORDS = %w[123qweQWE!@#000000000].freeze
+
+  # Overwrites valid_password? from Devise::Models::DatabaseAuthenticatable
+  # In constant-time, check both that the password isn't on a denylist AND
+  # that the password is the user's password
+  def valid_password?(password)
+    password_allowed = true
+    DISALLOWED_PASSWORDS.each do |disallowed_password|
+      password_allowed = false if Devise.secure_compare(password, disallowed_password)
+    end
+
+    original_result = super
+
+    password_allowed && original_result
+  end
+
   def remember_me!
     super if ::Gitlab::Database.read_write?
   end
-- 
cgit v1.2.3