Extend body verifier to sanitize, regex trim, and length check

2024-11-27 21:19:09 -05:00 · 2018-08-01 12:34:15 -04:00 · 2018-08-01 12:34:15 -04:00 · 21fe0de46d
commit 21fe0de46d
parent c23c9b345e
3 changed files with 19 additions and 11 deletions
--- a/app/routes/api/auth.js
+++ b/app/routes/api/auth.js
@ -50,13 +50,6 @@ const validateInvite = wrap(async (req, res, next) => {
 const validateUsername = wrap(async (req, res, next) => {
    const username = req.body.username;

-    if (username.length > config.get('User.Username.maxLength'))
-        return res.status(422).json({message: 'Username too long.'});
-
-    const restrictedRegex = new RegExp(config.get('User.Username.restrictedChars'), 'g');
-    if (username !== req.sanitize(username).replace(restrictedRegex, ''))
-        return res.status(422).json({message: 'Username contains invalid characters.'});
-
    const count = await User.countDocuments({username: username}).catch(next);
    if (count !== 0)
        return res.status(422).json({message: 'Username in use.'});
@ -65,7 +58,13 @@ const validateUsername = wrap(async (req, res, next) => {
 });

 const registerProps = [
-    {name: 'displayname', type: 'string'},
+    {
+        name: 'displayname',
+        type: 'string',
+        maxLength: config.get('User.Username.maxLength'),
+        sanitize: true,
+        restrict: new RegExp(config.get('User.Username.restrictedChars')),
+    },
    {name: 'password', type: 'string'},
    {name: 'invite', type: 'string'}];
 router.post('/register',
--- a/app/util/verifyBody.js
+++ b/app/util/verifyBody.js
@ -16,6 +16,15 @@ const verifyBody = expectedProps =>

            if (prop && expected.instance && !(prop instanceof expected.instance))
                return res.status(400).json({message: expected.name + ' malformed.'});
+
+            if (prop && expected.maxLength && prop.length > expected.maxLength)
+                return res.status(422).json({message: expected.name + ' too long.'});
+
+            if (prop && expected.sanitize && req.sanitize(prop) !== prop)
+                return res.status(422).json({message: expected.name + ' contains invalid characters.'});
+
+            if (prop && expected.restrict && prop.replace(expected.restrict, '') !== prop)
+                return res.status(422).json({message: expected.name + ' contains invalid characters.'});
        }
        next();
    };
--- a/test/api.js
+++ b/test/api.js
@ -121,20 +121,20 @@ describe('Authentication', function() {
                    {displayname: 'user name', password: 'pass', invite: 'code2'}
                ];

-                const failMsg = 'Username contains invalid characters.';
+                const failMsg = 'displayname contains invalid characters.';
                return Promise.all(users.map(user => verifyRejectedUsername(user, failMsg)));
            });

            it('MUST NOT register a username containing HTML', async () => {
                await util.createTestInvite();
                const user = {displayname: 'user<svg/onload=alert("XSS")>', password: 'pass', invite: 'code'};
-                return verifyRejectedUsername(user, 'Username contains invalid characters.');
+                return verifyRejectedUsername(user, 'displayname contains invalid characters.');
            });

            it('MUST NOT register a username with too many characters', async () => {
                await util.createTestInvite();
                const user = {displayname: '123456789_123456789_123456789_1234567', password: 'pass', invite: 'code'};
-                return verifyRejectedUsername(user, 'Username too long.');
+                return verifyRejectedUsername(user, 'displayname too long.');
            })
        });