Don't allow blank passwords on the password change endpoint; closes pterodactyl#2750

DaneEveritt · DaneEveritt · commit 7ebe04fb911b · 2020-11-29T13:28:46.000-08:00
diff --git a/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php b/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Account;
 
-use Pterodactyl\Models\User;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
 
@@ -32,8 +31,8 @@ public function authorize(): bool
      */
     public function rules(): array
     {
-        $rules = User::getRulesForUpdate($this->user());
-
-        return ['password' => array_merge($rules['password'], ['confirmed'])];
+        return [
+            'password' => ['required', 'string', 'confirmed', 'min:8'],
+        ];
     }
 }
diff --git a/tests/Integration/Api/Client/AccountControllerTest.php b/tests/Integration/Api/Client/AccountControllerTest.php
@@ -140,6 +140,29 @@ public function testPasswordIsNotUpdatedIfCurrentPasswordIsInvalid()
         $response->assertJsonPath('errors.0.detail', 'The password provided was invalid for this account.');
     }
 
+    /**
+     * Test that a validation error is returned to the user if no password is provided or if
+     * the password is below the minimum password length.
+     */
+    public function testErrorIsReturnedForInvalidRequestData()
+    {
+        $user = factory(User::class)->create();
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'required');
+
+        $this->actingAs($user)->putJson('/api/client/account/password', [
+            'current_password' => 'password',
+            'password' => 'pass',
+            'password_confirmation' => 'pass',
+        ])
+            ->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY)
+            ->assertJsonPath('errors.0.meta.rule', 'min');
+    }
+
     /**
      * Test that a validation error is returned if the password passed in the request
      * does not have a confirmation, or the confirmation is not the same as the password.

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`
`3`	`3`	`namespace Pterodactyl\Http\Requests\Api\Client\Account;`
`4`	`4`
`5`		`-use Pterodactyl\Models\User;`
`6`	`5`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`7`	`6`	`use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;`
`8`	`7`
`@@ -32,8 +31,8 @@ public function authorize(): bool`
`32`	`31`	`*/`
`33`	`32`	`public function rules(): array`
`34`	`33`	`{`
`35`		`- $rules = User::getRulesForUpdate($this->user());`
`36`		`-`
`37`		`- return ['password' => array_merge($rules['password'], ['confirmed'])];`
	`34`	`+ return [`
	`35`	`+ 'password' => ['required', 'string', 'confirmed', 'min:8'],`
	`36`	`+ ];`
`38`	`37`	`}`
`39`	`38`	`}`