fix(users): Enforce validation on first_name for increase security

[ERosendo]

This PR addresses a security vulnerability in the registration form. The first_name field was previously susceptible to Hyperlink Injection attacks. By allowing arbitrary input, malicious users could inject malicious links into the welcome email, potentially redirecting users to phishing sites or distributing malware.

References:

https://hackerone.com/reports/843421
https://hackerone.com/reports/158554
https://hackerone.com/reports/164833

fixes #4687

[mlissner]

One thought for you, but I might be wrong.

Thank you. :)

[mlissner]

Boy, I'm rusty on regexes these days, but why not do:

Suggested change

	if not re.match(
	r"""[^!"#$%&()*+,./:;<=>?@[\]_{|}~]+$""", first_name, re.IGNORECASE
	):
	import string
	if re.match(f"[{string.punctuation}]+$", first_name):

That flips the logic, uses string.punctuation (which I think is fine?) and removes re.IGNORECASE, because I can't see how it was relevant?

[ERosendo]

@mlissner You're absolutely right! The re.IGNORECASE flag isn't necessary here, and your suggestion is great.

Before we implement this change, I'd like to clarify one thing:

The current regex allows names with apostrophes (') and hyphens/dashes (-). If we use string.punctuation to validate names, it will flag these characters as invalid. Is that ok?

[mlissner]

Yeah, we should probably allow those! I didn't look too closely. Thanks for doing so!

[ERosendo]

👍

[mlissner]

Wait, before we ship, we can flip the regex, remove the not, and remove the IGNORECASE, right?

[ERosendo]

Thank you for pointing that out. I've incorporated the refactor into the latest commit

[mlissner]

Nice. Set for auto-merge!