Place cap on api password length

No more than 48 characters should ever be in an api token. Cap it to avoid outrageous crypt behavior at large password length.
2025-01-28 11:57:37 +00:00 · 2022-03-08 09:15:13 -05:00 · 2022-03-08 09:15:13 -05:00 · e67bab4f12
commit e67bab4f12
parent 21c0372a5b
1 changed files with 4 additions and 0 deletions
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@ -66,6 +66,10 @@ def handle_request(env, start_response):
        start_response('401 Unauthorized', [])
        yield 'Unauthorized'
        return
+    if len(apikey) > 48:
+        start_response('401', [])
+        yield 'Unauthorized'
+        return
    cfg = configmanager.ConfigManager(None)
    ea = cfg.get_node_attributes(nodename, ['crypted.selfapikey', 'deployment.apiarmed'])
    eak = ea.get(