Fix for KeyStore DoS vulnerability

ava-labs#195
Shashank-In · Jun 2, 2020 · 8e8dd75 · 8e8dd75
1 parent 7671cab
commit 8e8dd75
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/api/keystore/service.go b/api/keystore/service.go
@@ -148,9 +148,17 @@ func (ks *Keystore) CreateUser(_ *http.Request, args *CreateUserArgs, reply *Cre
 		return fmt.Errorf("user already exists: %s", args.Username)
 	}
 
-	if zxcvbn.PasswordStrength(args.Password, nil).Score < requiredPassScore {
-		return errWeakPassword
-	}
+	if len(args.Password) < 50 {
+		if zxcvbn.PasswordStrength(args.Password, nil).Score < requiredPassScore {
+			return errWeakPassword
+		}
+	} 
+
+	if len(args.Password) >= 50 {
+		if zxcvbn.PasswordStrength(args.Password[:50], nil).Score < requiredPassScore {
+			return errWeakPassword
+			}
+		}
 
 	usr := &User{}
 	if err := usr.Initialize(args.Password); err != nil {