Reject passwords that are the same as login, first name, last name, or email (#37279).

Patch by Go MAEDA (@maeda). git-svn-id: https://svn.redmine.org/redmine/trunk@22888 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2024-06-21 05:32:46 +00:00 · 2024-06-21 05:32:46 +00:00 · 719b0ce615
commit 719b0ce615
parent 2706019f09
3 changed files with 30 additions and 0 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -117,6 +117,7 @@ class User < Principal
    validates_format_of :password, :with => v, :message => :"must_contain_#{k}", :allow_blank => true, :if => Proc.new {Setting.password_required_char_classes.include?(k)}
  end
  validate :validate_password_length
+  validate :validate_password_complexity
  validate do
    if password_confirmation && password != password_confirmation
      errors.add(:password, :confirmation)
@ -901,6 +902,16 @@ class User < Principal
    end
  end

+  def validate_password_complexity
+    return if password.blank? && generate_password?
+    return if password.nil?
+
+    # TODO: Enhance to check for more common and simple passwords
+    # like 'password', '123456', 'qwerty', etc.
+    bad_passwords = [login, firstname, lastname, mail] + email_addresses.map(&:address)
+    errors.add(:password, :too_simple) if bad_passwords.any? {|p| password.casecmp?(p)}
+  end
+
  def instantiate_email_address
    email_address || build_email_address
  end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -114,6 +114,7 @@ en:
        blank: "cannot be blank"
        too_long: "is too long (maximum is %{count} characters)"
        too_short: "is too short (minimum is %{count} characters)"
+        too_simple: "is too simple"
        wrong_length: "is the wrong length (should be %{count} characters)"
        taken: "has already been taken"
        not_a_number: "is not a number"
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -558,6 +558,24 @@ class UserTest < ActiveSupport::TestCase
    end
  end

+  def test_validate_password_complexity
+    user = users(:users_002)
+    bad_passwords = [
+      user.login,
+      user.lastname,
+      user.firstname,
+      user.mail,
+      user.login.upcase
+    ]
+
+    bad_passwords.each do |p|
+      user.password = p
+      user.password_confirmation = p
+      assert_not user.save
+      assert user.errors.full_messages.include?('Password is too simple')
+    end
+  end
+
  def test_name_format
    assert_equal 'John S.', @jsmith.name(:firstname_lastinitial)
    assert_equal 'Smith, John', @jsmith.name(:lastname_comma_firstname)