#272 disallow usernames that look like filenames

2021-10-29 18:07:39 +02:00 · 2021-10-29 18:07:39 +02:00 · cc4be8ca6a
parent 74d07bacb5
commit cc4be8ca6a
2 changed files with 11 additions and 4 deletions
--- a/components/Account.vue
+++ b/components/Account.vue
@ -208,6 +208,7 @@
                    }

                    this.$store.commit('setToken', response.token);
+                    this.username = this.$user().username;
                    this.$cookies.set('token', this.$store.state.token, cookieSettings);
                    this.message = 'crud.saved';
                    this.messageIcon = 'check-circle';
--- a/server/routes/user.js
+++ b/server/routes/user.js
@ -26,6 +26,8 @@ const isSpam = (email) => {
        || email.length > 128;
 }

+const replaceExtension = username => username.replace(/\.(txt|jpg|jpeg|png|pdf|gif|doc|docx|csv)$/i, '_$1');
+
 const saveAuthenticator = async (db, type, user, payload, validForMinutes = null) => {
    const id = ulid();
    await db.get(SQL`INSERT INTO authenticators (id, userId, type, payload, validUntil) VALUES (
@ -76,10 +78,12 @@ const invalidateAuthenticator = async (db, id) => {

 const defaultUsername = async (db, email) => {
    const base = normalise(
-        email.substring(0, email.includes('@') ? email.indexOf('@') : email.length)
-            .padEnd(4, '0')
-            .substring(0, 14)
-            .replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_')
+        replaceExtension(
+            email.substring(0, email.includes('@') ? email.indexOf('@') : email.length)
+                .padEnd(4, '0')
+                .substring(0, 14)
+                .replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_')
+        )
    );

    const conflicts = (await db.all(SQL`SELECT usernameNorm FROM users WHERE usernameNorm LIKE ${normalise(base) + '%'}`))
@ -295,6 +299,8 @@ router.post('/user/change-username', handleErrorAsync(async (req, res) => {
        return res.json({ error: 'user.account.changeUsername.invalid' });
    }

+    req.body.username = replaceExtension(req.body.username);
+
    const dbUser = await req.db.get(SQL`SELECT * FROM users WHERE usernameNorm = ${normalise(req.body.username)}`);
    if (dbUser && dbUser.id !== req.user.id) {
        return res.json({ error: 'user.account.changeUsername.taken' })