#1: Disallow to query invalid Mojang usernames

elyby · Apr 20, 2019 · 96af45b · 96af45b
1 parent b1e18d0
commit 96af45b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/api/mojang/queue/queue.go b/api/mojang/queue/queue.go
@@ -1,6 +1,7 @@
 package queue
 
 import (
+	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -15,6 +16,9 @@ var forever = func() bool {
 	return true
 }
 
+// https://help.mojang.com/customer/portal/articles/928638
+var allowedUsernamesRegex = regexp.MustCompile(`^[\w_]{3,16}$`)
+
 type JobsQueue struct {
 	Storage Storage
 
@@ -31,6 +35,14 @@ func (ctx *JobsQueue) GetTexturesForUsername(username string) chan *mojang.Signe
 	})
 
 	responseChan := make(chan *mojang.SignedTexturesResponse)
+	if !allowedUsernamesRegex.MatchString(username) {
+		go func() {
+			responseChan <- nil
+			close(responseChan)
+		}()
+
+		return responseChan
+	}
 
 	cachedResult := ctx.Storage.Get(username)
 	if cachedResult != nil {

diff --git a/api/mojang/queue/queue_test.go b/api/mojang/queue/queue_test.go
@@ -3,6 +3,7 @@ package queue
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"strings"
 	"time"
 
 	"github.com/elyby/chrly/api/mojang"
@@ -251,6 +252,11 @@ func (suite *QueueTestSuite) TestHandle429ResponseWhenRequestingUsersTextures()
 	suite.Assert().Nil(<-resultChan)
 }
 
+func (suite *QueueTestSuite) TestReceiveTexturesForNotAllowedMojangUsername() {
+	resultChan := suite.Queue.GetTexturesForUsername("Not allowed")
+	suite.Assert().Nil(<-resultChan)
+}
+
 func TestJobsQueueSuite(t *testing.T) {
 	suite.Run(t, new(QueueTestSuite))
 }
@@ -259,7 +265,7 @@ func TestJobsQueueSuite(t *testing.T) {
 func randStr(len int) string {
 	buff := make([]byte, len)
 	_, _ = rand.Read(buff)
-	str := base64.StdEncoding.EncodeToString(buff)
+	str := strings.ReplaceAll(base64.URLEncoding.EncodeToString(buff), "-", "_")
 
 	// Base 64 can be longer than len
 	return str[:len]