From cc4be8ca6a1d380bab0777b2a619983c798d7282 Mon Sep 17 00:00:00 2001 From: Avris Date: Fri, 29 Oct 2021 18:07:39 +0200 Subject: [PATCH] #272 disallow usernames that look like filenames --- components/Account.vue | 1 + server/routes/user.js | 14 ++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/components/Account.vue b/components/Account.vue index 85f48b7c..78109649 100644 --- a/components/Account.vue +++ b/components/Account.vue @@ -208,6 +208,7 @@ } this.$store.commit('setToken', response.token); + this.username = this.$user().username; this.$cookies.set('token', this.$store.state.token, cookieSettings); this.message = 'crud.saved'; this.messageIcon = 'check-circle'; diff --git a/server/routes/user.js b/server/routes/user.js index 856b9240..d14b7a0d 100644 --- a/server/routes/user.js +++ b/server/routes/user.js @@ -26,6 +26,8 @@ const isSpam = (email) => { || email.length > 128; } +const replaceExtension = username => username.replace(/\.(txt|jpg|jpeg|png|pdf|gif|doc|docx|csv)$/i, '_$1'); + const saveAuthenticator = async (db, type, user, payload, validForMinutes = null) => { const id = ulid(); await db.get(SQL`INSERT INTO authenticators (id, userId, type, payload, validUntil) VALUES ( @@ -76,10 +78,12 @@ const invalidateAuthenticator = async (db, id) => { const defaultUsername = async (db, email) => { const base = normalise( - email.substring(0, email.includes('@') ? email.indexOf('@') : email.length) - .padEnd(4, '0') - .substring(0, 14) - .replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_') + replaceExtension( + email.substring(0, email.includes('@') ? email.indexOf('@') : email.length) + .padEnd(4, '0') + .substring(0, 14) + .replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_') + ) ); const conflicts = (await db.all(SQL`SELECT usernameNorm FROM users WHERE usernameNorm LIKE ${normalise(base) + '%'}`)) @@ -295,6 +299,8 @@ router.post('/user/change-username', handleErrorAsync(async (req, res) => { return res.json({ error: 'user.account.changeUsername.invalid' }); } + req.body.username = replaceExtension(req.body.username); + const dbUser = await req.db.get(SQL`SELECT * FROM users WHERE usernameNorm = ${normalise(req.body.username)}`); if (dbUser && dbUser.id !== req.user.id) { return res.json({ error: 'user.account.changeUsername.taken' })