From f4623ea8dc7b0cd54dbdaea4da3c9333aefb7050 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 5 May 2021 16:36:39 -0700
Subject: [PATCH] fix: validate secret key before updating service accounts

---
 cmd/iam.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/cmd/iam.go b/cmd/iam.go
index 00f3c01e5..0b2f5567e 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1203,6 +1203,10 @@ func (sys *IAMSys) UpdateServiceAccount(ctx context.Context, accessKey string, o
 		return errNoSuchServiceAccount
 	}
 
+	if !auth.IsSecretKeyValid(opts.secretKey) {
+		return auth.ErrInvalidSecretKeyLength
+	}
+
 	if opts.secretKey != "" {
 		cr.SecretKey = opts.secretKey
 	}
@@ -1346,6 +1350,14 @@ func (sys *IAMSys) CreateUser(accessKey string, uinfo madmin.UserInfo) error {
 		return errIAMActionNotAllowed
 	}
 
+	if !auth.IsAccessKeyValid(accessKey) {
+		return auth.ErrInvalidAccessKeyLength
+	}
+
+	if !auth.IsSecretKeyValid(uinfo.SecretKey) {
+		return auth.ErrInvalidSecretKeyLength
+	}
+
 	sys.store.lock()
 	defer sys.store.unlock()
 
@@ -1388,6 +1400,14 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
 		return errIAMActionNotAllowed
 	}
 
+	if !auth.IsAccessKeyValid(accessKey) {
+		return auth.ErrInvalidAccessKeyLength
+	}
+
+	if !auth.IsSecretKeyValid(secretKey) {
+		return auth.ErrInvalidSecretKeyLength
+	}
+
 	sys.store.lock()
 	defer sys.store.unlock()