Mercurial > gemma
changeset 418:c70ddc6eb168
Don't allow user names to contain any of the following characters \"':;
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Thu, 16 Aug 2018 13:14:46 +0200 |
| parents | ff26ffc18a04 |
| children | 6627c48363a0 |
| files | pkg/controllers/token.go pkg/controllers/types.go pkg/controllers/user.go |
| diffstat | 3 files changed, 44 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/pkg/controllers/token.go Thu Aug 16 10:42:30 2018 +0200 +++ b/pkg/controllers/token.go Thu Aug 16 13:14:46 2018 +0200 @@ -63,7 +63,7 @@ password = req.FormValue("password") ) - if user == "" || password == "" { + if user == "" || !UserName(user).isValid() || password == "" { http.Error(rw, "Invalid credentials", http.StatusBadRequest) return }
--- a/pkg/controllers/types.go Thu Aug 16 10:42:30 2018 +0200 +++ b/pkg/controllers/types.go Thu Aug 16 13:14:46 2018 +0200 @@ -9,9 +9,10 @@ ) type ( - Email string - Country string - Role string + Email string + Country string + Role string + UserName string BoundingBox struct { X1 float64 `json:"x1"` @@ -21,7 +22,7 @@ } User struct { - User string `json:"user"` + User UserName `json:"user"` Role Role `json:"role"` Password string `json:"password,omitempty"` Email Email `json:"email"` @@ -76,6 +77,37 @@ return } +var errNoValidUser = errors.New("Not a valid user") + +func (u UserName) isValid() bool { + return !strings.ContainsAny(string(u), `\"':;`) +} + +func (u *UserName) UnmarshalJSON(data []byte) error { + var s string + if err := json.Unmarshal(data, &s); err != nil { + return err + } + if !emailRe.MatchString(s) { + return errNoEmailAddress + } + user := UserName(s) + if !user.isValid() { + return errNoValidUser + } + *u = user + return nil +} + +func (u *UserName) Scan(src interface{}) (err error) { + if s, ok := src.(string); ok { + *u = UserName(s) + } else { + err = errNoString + } + return +} + var ( validCountries = []string{ "AT", "BG", "DE", "HU", "HR",
--- a/pkg/controllers/user.go Thu Aug 16 10:42:30 2018 +0200 +++ b/pkg/controllers/user.go Thu Aug 16 13:14:46 2018 +0200 @@ -94,9 +94,9 @@ db *sql.DB, ) (jr JSONResult, err error) { - user := mux.Vars(req)["user"] - if user == "" { - err = JSONError{http.StatusBadRequest, "error: user empty"} + user := UserName(mux.Vars(req)["user"]) + if user == "" || !user.isValid() { + err = JSONError{http.StatusBadRequest, "error: user invalid"} return } @@ -156,7 +156,7 @@ if user != newUser.User { // Running in a go routine should not be necessary. - go func() { auth.ConnPool.Logout(user) }() + go func() { auth.ConnPool.Logout(string(user)) }() } jr = JSONResult{ @@ -253,9 +253,9 @@ db *sql.DB, ) (jr JSONResult, err error) { - user := mux.Vars(req)["user"] - if user == "" { - err = JSONError{http.StatusBadRequest, "error: user empty"} + user := UserName(mux.Vars(req)["user"]) + if user == "" || !user.isValid() { + err = JSONError{http.StatusBadRequest, "error: user invalid"} return }