From 29fc3681b9c3d4e630534c0f6adb0b73d7fcf04f Mon Sep 17 00:00:00 2001 From: Dessalines Date: Thu, 28 May 2020 14:07:36 -0400 Subject: [PATCH] Validate register usernames on the back-end. Fixes #716 (#750) * Validate register usernames on the back-end. Fixes #716 * Changing name to is_valid_username --- server/src/api/user.rs | 5 +++++ server/src/lib.rs | 18 ++++++++++++++++-- ui/translations/en.json | 1 + 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/server/src/api/user.rs b/server/src/api/user.rs index c2734f512..ee57723a1 100644 --- a/server/src/api/user.rs +++ b/server/src/api/user.rs @@ -1,4 +1,5 @@ use super::*; +use crate::is_valid_username; use bcrypt::verify; #[derive(Serialize, Deserialize, Debug)] @@ -261,6 +262,10 @@ impl Perform for Oper { return Err(APIError::err("admin_already_created").into()); } + if !is_valid_username(&data.username) { + return Err(APIError::err("invalid_username").into()); + } + // Register the new user let user_form = UserForm { name: data.username.to_owned(), diff --git a/server/src/lib.rs b/server/src/lib.rs index d1531d7e0..ca4bedea7 100644 --- a/server/src/lib.rs +++ b/server/src/lib.rs @@ -269,11 +269,15 @@ pub fn get_ip(conn_info: &ConnectionInfo) -> String { .to_string() } +pub fn is_valid_username(name: &str) -> bool { + VALID_USERNAME_REGEX.is_match(name) +} + #[cfg(test)] mod tests { use crate::{ - extract_usernames, is_email_regex, is_image_content_type, remove_slurs, slur_check, - slurs_vec_to_str, + extract_usernames, is_email_regex, is_image_content_type, is_valid_username, remove_slurs, + slur_check, slurs_vec_to_str, }; #[test] @@ -291,6 +295,15 @@ mod tests { assert!(!is_email_regex("nada_neutho")); } + #[test] + fn test_valid_register_username() { + assert!(is_valid_username("Hello_98")); + assert!(is_valid_username("ten")); + assert!(!is_valid_username("Hello-98")); + assert!(!is_valid_username("a")); + assert!(!is_valid_username("")); + } + #[test] fn test_slur_filter() { let test = @@ -352,4 +365,5 @@ lazy_static! { static ref EMAIL_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$").unwrap(); static ref SLUR_REGEX: Regex = RegexBuilder::new(r"(fag(g|got|tard)?|maricos?|cock\s?sucker(s|ing)?|nig(\b|g?(a|er)?(s|z)?)\b|dindu(s?)|mudslime?s?|kikes?|mongoloids?|towel\s*heads?|\bspi(c|k)s?\b|\bchinks?|niglets?|beaners?|\bnips?\b|\bcoons?\b|jungle\s*bunn(y|ies?)|jigg?aboo?s?|\bpakis?\b|rag\s*heads?|gooks?|cunts?|bitch(es|ing|y)?|puss(y|ies?)|twats?|feminazis?|whor(es?|ing)|\bslut(s|t?y)?|\btrann?(y|ies?)|ladyboy(s?)|\b(b|re|r)tard(ed)?s?)").case_insensitive(true).build().unwrap(); static ref USERNAME_MATCHES_REGEX: Regex = Regex::new(r"/u/[a-zA-Z][0-9a-zA-Z_]*").unwrap(); + static ref VALID_USERNAME_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9_]{3,20}$").unwrap(); } diff --git a/ui/translations/en.json b/ui/translations/en.json index 703bdaec1..ff28a3cf4 100644 --- a/ui/translations/en.json +++ b/ui/translations/en.json @@ -249,6 +249,7 @@ "Couldn't find that username or email.", "password_incorrect": "Password incorrect.", "passwords_dont_match": "Passwords do not match.", + "invalid_username": "Invalid username.", "admin_already_created": "Sorry, there's already an admin.", "user_already_exists": "User already exists.", "email_already_exists": "Email already exists.",