Skip to content

Commit

Permalink
fix: validate username and display name in PostUser. (#5366)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ioga
ioga authored Nov 1, 2022
1 parent 1475136 commit 44000a6
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 4 deletions.
4 changes: 2 additions & 2 deletions e2e_tests/tests/cluster/test_users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -946,12 +946,12 @@ def test_change_displayname(clean_auth: None) -> None:
assert current_user is not None and current_user.id

# Rename user using display name
patch_user = bindings.v1PatchUser(displayName="renamed")
patch_user = bindings.v1PatchUser(displayName="renamed display-name")
bindings.patch_PatchUser(sess, body=patch_user, userId=current_user.id)

modded_user = bindings.get_GetUser(sess, userId=current_user.id).user
assert modded_user is not None
assert modded_user.displayName == "renamed"
assert modded_user.displayName == "renamed display-name"

# Avoid display name of 'admin'
patch_user.displayName = "Admin"
Expand Down
1 change: 1 addition & 0 deletions master/.golangci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ issues:
# Exclude "gosec: Errors unhandled" because it duplicates errcheck.
- G104
- and that stutters
- declaration of "(err|ctx)" shadows declaration at

# Independently from option `exclude` golangci-lint uses default exclude patterns.
exclude-use-default: false
Expand Down
14 changes: 12 additions & 2 deletions master/internal/api_user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const determinedName = "determined"

var (
errUserNotFound = status.Error(codes.NotFound, "user not found")
latinText = regexp.MustCompile("[^\\p{Latin}\\p{N}\\s]")
latinText = regexp.MustCompile("[^[:graph:]\\s]")
)

func clearUsername(targetUser model.User, name string, minLength int) (*string, error) {
Expand Down Expand Up @@ -215,8 +215,18 @@ func (a *apiServer) PostUser(
Admin: req.User.Admin,
Active: req.User.Active,
}
clearedUsername, err := clearUsername(*userToAdd, userToAdd.Username, 2)
if err != nil {
return nil, err
}
userToAdd.Username = *clearedUsername

if req.User.DisplayName != "" {
userToAdd.DisplayName = null.StringFrom(req.User.DisplayName)
clearedDisplayName, err := clearUsername(*userToAdd, req.User.DisplayName, 0)
if err != nil {
return nil, err
}
userToAdd.DisplayName = null.StringFrom(*clearedDisplayName)
}

var agentUserGroup *model.AgentUserGroup
Expand Down

0 comments on commit 44000a6

Please sign in to comment.