Avoid DOS route with authentication of extremely long passwords.

gbif · Mar 12, 2024 · 60c3147 · 60c3147
1 parent b769059
commit 60c3147
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java b/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java
@@ -208,7 +208,12 @@ public PagingResponse<GbifUser> search(
   @Override
   @Nullable
   public GbifUser authenticate(String username, String password) {
-    if (Strings.isNullOrEmpty(username) || password == null) {
+    if (Strings.isNullOrEmpty(username) || Strings.isNullOrEmpty(password)) {
+      return null;
+    }
+
+    // Avoid DOS route with an attacker trying extremely long passwords.
+    if (!PASSWORD_LENGTH_RANGE.contains(password.length())) {
       return null;
     }