fix: passthrough the minimum password length (#5236)

2025-11-26 14:25:26 +08:00 · 2025-06-29 11:28:32 +02:00
parent 7354eb6cf9
commit bf37f88c32
11 changed files with 100065 additions and 30 deletions
--- a/users/assets.go
+++ b/users/assets.go
@@ -0,0 +1,26 @@
+package users
+
+import (
+	"embed"
+	"strings"
+)
+
+//go:embed assets
+var assets embed.FS
+var commonPasswords map[string]struct{}
+
+//nolint:gochecknoinits
+func init() {
+	// Password list sourced from:
+	// https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt
+	data, err := assets.ReadFile("assets/common-passwords.txt")
+	if err != nil {
+		panic(err)
+	}
+
+	passwords := strings.Split(strings.TrimSpace(string(data)), "\n")
+	commonPasswords = make(map[string]struct{}, len(passwords))
+	for _, password := range passwords {
+		commonPasswords[strings.TrimSpace(password)] = struct{}{}
+	}
+}
--- a/users/assets/common-passwords.txt
+++ b/users/assets/common-passwords.txt
--- a/users/password.go
+++ b/users/password.go
@@ -9,10 +9,14 @@ import (
 	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
 )

-// HashPwd hashes a password.
-func HashAndValidatePwd(password string, minimumLength uint) (string, error) {
+// ValidateAndHashPwd validates and hashes a password.
+func ValidateAndHashPwd(password string, minimumLength uint) (string, error) {
 	if uint(len(password)) < minimumLength {
-		return "", fbErrors.ErrShortPassword
+		return "", fbErrors.ErrShortPassword{MinimumLength: minimumLength}
+	}
+
+	if _, ok := commonPasswords[password]; ok {
+		return "", fbErrors.ErrEasyPassword
 	}

 	return HashPwd(password)