Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hartmut/CapaKraken:security/password-policy-blacklist
Branches Tags
Hartmut/CapaKraken:main Hartmut/CapaKraken:security/password-policy-blacklist Hartmut/CapaKraken:security/audit-2026-04-17
Hartmut/CapaKraken:pre-rename-backup
..
compare: Hartmut/CapaKraken:9ef7114c77d077f16d57783b61623c53be7c16aa
Branches Tags
Hartmut/CapaKraken:security/password-policy-blacklist Hartmut/CapaKraken:main Hartmut/CapaKraken:security/audit-2026-04-17
Hartmut/CapaKraken:pre-rename-backup

1 Commits
security/password-policy-blacklist .. 9ef7114c77

Author SHA1 Message Date
Hartmut 9ef7114c77 security: reject common/weak passwords on every set-password path (#31)
CI / Architecture Guardrails (pull_request) Successful in 3m49s
Details
CI / Typecheck (pull_request) Failing after 4m26s
Details
CI / Build (pull_request) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
Details
CI / Lint (pull_request) Successful in 7m52s
Details
CI / Assistant Split Regression (pull_request) Successful in 9m18s
Details
CI / Unit Tests (pull_request) Successful in 11m35s
Details
CI / E2E Tests (pull_request) Has been skipped
Details
CI / Release Images (pull_request) Has been skipped
Details 
Adds a synchronous policy check that blocks (1) the curated >=12-char
common-password list (rockyou top, predictable seasonal, admin defaults),
(2) trivial patterns (single-char repeat, short-pattern repeat, keyboard
or numeric sequences), and (3) passwords containing the user's email
local-part or any name component. Wired into all five password-mutation
sites: first-admin setup, admin createUser/setUserPassword, invite
acceptance, and password-reset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-04-18 14:02:43 +02:00
2 changed files with 12 additions and 12 deletions
Expand all files Collapse all files
packages/application/src/__tests__/read-workbook.test.ts
+2 -2
View File
@@ -137,7 +137,7 @@ describe("readWorksheetMatrix", () => {
await expect(readWorksheetMatrix(workbookPath, "Sheet1")).rejects.toThrow(
`exceeds the ${MAX_DISPO_WORKBOOK_ROWS} row import limit`,
);
}, 60000);
}, 30000);
it("rejects worksheets that exceed the column limit", async () => {
const directory = await makeTempDirectory();
@@ -149,7 +149,7 @@ describe("readWorksheetMatrix", () => {
await expect(readWorksheetMatrix(workbookPath, "Sheet1")).rejects.toThrow(
`exceeds the ${MAX_DISPO_WORKBOOK_COLUMNS} column import limit`,
);
}, 60000);
}, 30000);
describe("DISPO_IMPORT_DIR allowlist", () => {
it("rejects absolute paths that escape the configured import dir", async () => {
packages/shared/src/__tests__/password-policy.test.ts
+10 -10
View File
@@ -6,13 +6,13 @@ describe("checkPasswordPolicy", () => {
it("rejects passwords shorter than 12 chars", () => {
const result = checkPasswordPolicy("short1!");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/at least 12/i);
expect(result.reason).toMatch(/at least 12/i);
});
it("rejects passwords longer than 128 chars", () => {
const result = checkPasswordPolicy("A".repeat(129));
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/no more than 128/i);
expect(result.reason).toMatch(/no more than 128/i);
});
it("accepts passwords at the lower bound that pass other checks", () => {
@@ -25,25 +25,25 @@ describe("checkPasswordPolicy", () => {
it("rejects single char repeated", () => {
const result = checkPasswordPolicy("aaaaaaaaaaaa");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/single character/i);
expect(result.reason).toMatch(/single character/i);
});
it("rejects short patterns repeated", () => {
const result = checkPasswordPolicy("abcabcabcabc");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/short pattern/i);
expect(result.reason).toMatch(/short pattern/i);
});
it("rejects '1212121212121212' (2-char pattern repeated)", () => {
const result = checkPasswordPolicy("1212121212121212");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/short pattern/i);
expect(result.reason).toMatch(/short pattern/i);
});
it("rejects keyboard sequences like 'abcdefghijkl'", () => {
const result = checkPasswordPolicy("abcdefghijkl");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/sequence/i);
expect(result.reason).toMatch(/sequence/i);
});
it("rejects numeric runs like '1234567890ab'", () => {
@@ -57,13 +57,13 @@ describe("checkPasswordPolicy", () => {
it("rejects 'PasswordPassword' (case-insensitive)", () => {
const result = checkPasswordPolicy("PasswordPassword");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/commonly used/i);
expect(result.reason).toMatch(/commonly used/i);
});
it("rejects 'Welcome2026!' seasonal password", () => {
const result = checkPasswordPolicy("Welcome2026!");
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/commonly used/i);
expect(result.reason).toMatch(/commonly used/i);
});
it("rejects 'Summer2025!' regardless of case", () => {
@@ -78,7 +78,7 @@ describe("checkPasswordPolicy", () => {
email: "hartmut@example.com",
});
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/email or name/i);
expect(result.reason).toMatch(/email or name/i);
});
it("rejects passwords containing the user name", () => {
@@ -86,7 +86,7 @@ describe("checkPasswordPolicy", () => {
name: "Hartmut Noerenberg",
});
expect(result.ok).toBe(false);
if (!result.ok) expect(result.reason).toMatch(/email or name/i);
expect(result.reason).toMatch(/email or name/i);
});
it("ignores short email locals to avoid false positives", () => {