Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: validate username before registering user #32743

Merged
merged 10 commits into from
Aug 21, 2024
5 changes: 5 additions & 0 deletions apps/meteor/app/api/server/v1/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ import { setUserAvatar } from '../../../lib/server/functions/setUserAvatar';
import { setUsernameWithValidation } from '../../../lib/server/functions/setUsername';
import { validateCustomFields } from '../../../lib/server/functions/validateCustomFields';
import { validateNameChars } from '../../../lib/server/functions/validateNameChars';
import { validateUsername } from '../../../lib/server/functions/validateUsername';
import { notifyOnUserChange, notifyOnUserChangeAsync } from '../../../lib/server/lib/notifyListener';
import { generateAccessToken } from '../../../lib/server/methods/createToken';
import { settings } from '../../../settings/server';
Expand Down Expand Up @@ -651,6 +652,10 @@ API.v1.addRoute(
return API.v1.failure('Name contains invalid characters');
}

if (!validateUsername(this.bodyParams.username)) {
return API.v1.failure(`The username provided is not valid. Use only letters, numbers, dots, hyphens and underscores`);
}

if (!(await checkUsernameAvailability(this.bodyParams.username))) {
return API.v1.failure('Username is already in use');
}
Expand Down
21 changes: 6 additions & 15 deletions apps/meteor/app/lib/server/functions/setUsername.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import { getAvatarSuggestionForUser } from './getAvatarSuggestionForUser';
import { joinDefaultChannels } from './joinDefaultChannels';
import { saveUserIdentity } from './saveUserIdentity';
import { setUserAvatar } from './setUserAvatar';
import { validateUsername } from './validateUsername';

export const setUsernameWithValidation = async (userId: string, username: string, joinDefaultChannelsSilenced?: boolean): Promise<void> => {
if (!username) {
Expand All @@ -37,14 +38,7 @@ export const setUsernameWithValidation = async (userId: string, username: string
return;
}

let nameValidation;
try {
nameValidation = new RegExp(`^${settings.get('UTF8_User_Names_Validation')}$`);
} catch (error) {
nameValidation = new RegExp('^[0-9a-zA-Z-_.]+$');
}

if (!nameValidation.test(username)) {
if (!validateUsername(username)) {
throw new Meteor.Error(
'username-invalid',
`${_.escape(username)} is not a valid username, use only letters, numbers, dots, hyphens and underscores`,
Expand Down Expand Up @@ -74,18 +68,15 @@ export const setUsernameWithValidation = async (userId: string, username: string

export const _setUsername = async function (userId: string, u: string, fullUser: IUser): Promise<unknown> {
const username = u.trim();

if (!userId || !username) {
return false;
}
let nameValidation;
try {
nameValidation = new RegExp(`^${settings.get('UTF8_User_Names_Validation')}$`);
} catch (error) {
nameValidation = new RegExp('^[0-9a-zA-Z-_.]+$');
}
if (!nameValidation.test(username)) {

if (!validateUsername(username)) {
return false;
}

const user = fullUser || (await Users.findOneById(userId));
// User already has desired username, return
if (user.username === username) {
Expand Down
15 changes: 15 additions & 0 deletions apps/meteor/app/lib/server/functions/validateUsername.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
import { settings } from '../../../settings/server';

export const validateUsername = (username: string): boolean => {
ricardogarim marked this conversation as resolved.
Show resolved Hide resolved
const settingsRegExp = settings.get('UTF8_User_Names_Validation');
const defaultPattern = /^[0-9a-zA-Z-_.]+$/;

let usernameRegExp: RegExp;
try {
usernameRegExp = settingsRegExp ? new RegExp(`^${settingsRegExp}$`) : defaultPattern;
} catch (e) {
usernameRegExp = defaultPattern;
}

return usernameRegExp.test(username);
};
33 changes: 27 additions & 6 deletions apps/meteor/tests/end-to-end/api/users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -605,6 +605,27 @@ describe('[Users]', () => {
})
.end(done);
});

it('should return an error when trying register new user with an invalid username', (done) => {
void request
.post(api('users.register'))
.send({
email,
name: 'name',
username: 'test$username<>',
pass: 'test',
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect((res) => {
expect(res.body).to.have.property('success', false);
expect(res.body)
.to.have.property('error')
.and.to.be.equal('The username provided is not valid. Use only letters, numbers, dots, hyphens and underscores');
})
.end(done);
});

it('should return an error when trying register new user with an existing username', (done) => {
void request
.post(api('users.register'))
Expand Down Expand Up @@ -3700,9 +3721,9 @@ describe('[Users]', () => {

it('should invalidate all active sesions', (done) => {
/* We want to validate that the login with the "old" credentials fails
However, the removal of the tokens is done asynchronously.
Thus, we check that within the next seconds, at least one try to
access an authentication requiring route fails */
However, the removal of the tokens is done asynchronously.
Thus, we check that within the next seconds, at least one try to
access an authentication requiring route fails */
let counter = 0;

async function checkAuthenticationFails() {
Expand Down Expand Up @@ -4060,9 +4081,9 @@ describe('[Users]', () => {

it('should invalidate all active sesions', (done) => {
/* We want to validate that the login with the "old" credentials fails
However, the removal of the tokens is done asynchronously.
Thus, we check that within the next seconds, at least one try to
access an authentication requiring route fails */
However, the removal of the tokens is done asynchronously.
Thus, we check that within the next seconds, at least one try to
access an authentication requiring route fails */
let counter = 0;

async function checkAuthenticationFails() {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
import { expect } from 'chai';
import proxyquire from 'proxyquire';

const proxySettings = {
settings: {
get: (key: string): string | null => {
if (key === 'UTF8_User_Names_Validation') {
// Default value set at apps/meteor/server/settings/general.ts
return '[0-9a-zA-Z-_.]+';
}
return null;
ricardogarim marked this conversation as resolved.
Show resolved Hide resolved
},
},
};

const { validateUsername } = proxyquire.noCallThru().load('../../../../../../app/lib/server/functions/validateUsername', {
'../../../settings/server': proxySettings,
});

describe('validateUsername', () => {
describe('with default settings', () => {
it('should return true for a valid username', () => {
const result = validateUsername('valid_username.123');
expect(result).to.be.true;
});

it('should return false for an invalid username containing special HTML tags', () => {
const result = validateUsername('username<div>$</div>');
expect(result).to.be.false;
});

it('should return false for an empty username', () => {
const result = validateUsername('');
expect(result).to.be.false;
});

it('should return false for a username with invalid characters', () => {
const result = validateUsername('invalid*username!');
expect(result).to.be.false;
});

it('should return true for a username with allowed special characters', () => {
const result = validateUsername('username-_.');
expect(result).to.be.true;
});
});

describe('with custom regex settings', () => {
beforeEach(() => {
proxySettings.settings.get = (key: string) => {
ricardogarim marked this conversation as resolved.
Show resolved Hide resolved
if (key === 'UTF8_User_Names_Validation') {
return '[a-zA-Z]+';
}
return null;
};
});

it('should return true for a username matching the custom regex', () => {
const result = validateUsername('ValidUsername');
expect(result).to.be.true;
});

it('should return false for a username that does not match the custom regex', () => {
const result = validateUsername('username123');
expect(result).to.be.false;
});
});

describe('with null regex settings', () => {
beforeEach(() => {
proxySettings.settings.get = () => null;
});

it('should fallback to the default regex pattern if the settings value is null', () => {
const result = validateUsername('username');
expect(result).to.be.true;
});
});

describe('with invalid regex settings', () => {
beforeEach(() => {
proxySettings.settings.get = (key: string) => {
if (key === 'UTF8_User_Names_Validation') {
return 'invalid[';
}
return null;
};
});

it('should fallback to the default regex pattern if the settings value is invalid', () => {
const result = validateUsername('username');
expect(result).to.be.true;
});
});
});
Loading