database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[fix](auth)fix use regex verify mysql password may cause backtracking (#24900)

Browse Source
This commit is contained in:
DongLiang-0
2023-10-08 12:18:20 +08:00
committed by GitHub
parent b4e385e926
commit 737124aaef
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlPassword.java
View File

@ -31,6 +31,8 @@ import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import java.util.Set;
import java.util.stream.Collectors;
// this is stolen from MySQL
//
@ -83,6 +85,12 @@ public class MysqlPassword {
private static final byte[] DIG_VEC_UPPER = {'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
private static final Random random = new SecureRandom();
private static final Set<Character> complexCharSet;
public static final int MIN_PASSWORD_LEN = 8;
static {
complexCharSet = "~!@#$%^&*()_+|<>,.?/:;'[]{}".chars().mapToObj(c -> (char) c).collect(Collectors.toSet());
}
public static byte[] createRandomString(int len) {
byte[] bytes = new byte[len];
@ -281,12 +289,6 @@ public class MysqlPassword {
return passwd;
}
public static final String REG_NUMBER = ".*\\d+.*";
public static final String REG_UPPERCASE = ".*[A-Z]+.*";
public static final String REG_LOWERCASE = ".*[a-z]+.*";
public static final String REG_SYMBOL = ".*[~!@#$%^&*()_+|<>,.?/:;'\\[\\]{}\"]+.*";
public static final int MIN_PASSWORD_LEN = 8;
public static void validatePlainPassword(long validaPolicy, String text) throws AnalysisException {
if (validaPolicy == GlobalVariable.VALIDATE_PASSWORD_POLICY_STRONG) {
if (Strings.isNullOrEmpty(text) || text.length() < MIN_PASSWORD_LEN) {
@ -295,16 +297,16 @@ public class MysqlPassword {
}
int i = 0;
if (text.matches(REG_NUMBER)) {
if (text.chars().anyMatch(Character::isDigit)) {
i++;
}
if (text.matches(REG_LOWERCASE)) {
if (text.chars().anyMatch(Character::isLowerCase)) {
i++;
}
if (text.matches(REG_UPPERCASE)) {
if (text.chars().anyMatch(Character::isUpperCase)) {
i++;
}
if (text.matches(REG_SYMBOL)) {
if (text.chars().anyMatch(c -> complexCharSet.contains((char) c))) {
i++;
}
if (i < 3) {