Merge branch 'security-limit-fscanl-13-9' into '13-16-stable'

Read limited input for yes answer

See merge request gitlab-org/security/gitlab-shell!5

CHANGELOG

+v13.16.1
+
+- Read limited input for yes answer
+
 v13.16.0
 
 - RFC: Simple built-in SSH server !394

VERSION

-13.16.0
+13.16.1

internal/command/twofactorrecover/twofactorrecover.go

@@ -3,6 +3,7 @@ package twofactorrecover
 import (
 	"context"
 	"fmt"
+	"io"
 	"strings"
 
 	"gitlab.com/gitlab-org/gitlab-shell/internal/command/commandargs"
@@ -11,6 +12,8 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/internal/gitlabnet/twofactorrecover"
 )
 
+const readerLimit = 1024
+
 type Command struct {
 	Config     *config.Config
 	Args       *commandargs.Shell
@@ -34,7 +37,7 @@ func (c *Command) canContinue() bool {
 	fmt.Fprintln(c.ReadWriter.Out, question)
 
 	var answer string
-	fmt.Fscanln(c.ReadWriter.In, &answer)
+	fmt.Fscanln(io.LimitReader(c.ReadWriter.In, readerLimit), &answer)
 
 	return answer == "yes"
 }

internal/command/twofactorrecover/twofactorrecover_test.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -114,6 +115,13 @@ func TestExecute(t *testing.T) {
 			expectedOutput: question +
 				"New recovery codes have *not* been generated. Existing codes will remain valid.\n",
 		},
+		{
+			desc:      "With some other answer",
+			arguments: &commandargs.Shell{},
+			answer:    strings.Repeat("yes", 1024),
+			expectedOutput: question +
+				"New recovery codes have *not* been generated. Existing codes will remain valid.\n",
+		},
 	}
 
 	for _, tc := range testCases {