fix(api): validate username with regex (#6026)

ovh · Dec 3, 2021 · ccfee12 · ccfee12
1 parent 312b74d
commit ccfee12
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/engine/api/authentication/local/dao_registration.go b/engine/api/authentication/local/dao_registration.go
@@ -43,8 +43,8 @@ func LoadRegistrationByID(ctx context.Context, db gorp.SqlExecutor, id string) (
 
 // InsertRegistration in database.
 func InsertRegistration(ctx context.Context, db gorpmapper.SqlExecutorWithTx, ur *sdk.UserRegistration) error {
-	if !sdk.UsernameRegex.MatchString(ur.Username) {
-		return sdk.WithStack(sdk.ErrInvalidUsername)
+	if err := sdk.IsValidUsername(ur.Username); err != nil {
+		return err
 	}
 
 	if ur.ID == "" {

diff --git a/engine/api/user/dao.go b/engine/api/user/dao.go
@@ -129,8 +129,8 @@ func CountAdmin(db gorp.SqlExecutor) (int64, error) {
 
 // Insert a user in database.
 func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, au *sdk.AuthentifiedUser) error {
-	if !sdk.UsernameRegex.MatchString(au.Username) {
-		return sdk.WithStack(sdk.ErrInvalidUsername)
+	if err := sdk.IsValidUsername(au.Username); err != nil {
+		return err
 	}
 
 	au.ID = sdk.UUID()
@@ -146,6 +146,10 @@ func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, au *sdk.Authen
 
 // Update a user in database.
 func Update(ctx context.Context, db gorpmapper.SqlExecutorWithTx, au *sdk.AuthentifiedUser) error {
+	if err := sdk.IsValidUsername(au.Username); err != nil {
+		return err
+	}
+
 	u := authentifiedUser{AuthentifiedUser: *au}
 	if err := gorpmapping.UpdateAndSign(ctx, db, &u); err != nil {
 		return sdk.WrapError(err, "unable to update authentified user with id: %s", au.ID)

diff --git a/sdk/user.go b/sdk/user.go
@@ -33,7 +33,7 @@ type UserRegistration struct {
 	Hash     string    `json:"-"  db:"hash"` // do no return hash in json
 }
 
-var UsernameRegex = regexp.MustCompile("[a-z0-9._-]{3,32}")
+var usernameRegex = regexp.MustCompile("[a-z0-9._-]{3,32}")
 
 // AuthentifiedUser struct contains all information about a cds user.
 type AuthentifiedUser struct {
@@ -49,10 +49,17 @@ type AuthentifiedUser struct {
 	Organization string       `json:"organization,omitempty" yaml:"organization,omitempty" cli:"organization" db:"-"`
 }
 
+func IsValidUsername(username string) error {
+	if username == "" || username == "me" || !usernameRegex.MatchString(username) {
+		return NewErrorFrom(ErrInvalidUsername, "invalid given username: %q", username)
+	}
+	return nil
+}
+
 // IsValid returns an error if given user's infos are not valid.
 func (u AuthentifiedUser) IsValid() error {
-	if u.Username == "" || u.Username == "me" {
-		return NewErrorFrom(ErrWrongRequest, "invalid given username")
+	if err := IsValidUsername(u.Username); err != nil {
+		return err
 	}
 	if u.Fullname == "" {
 		return NewErrorFrom(ErrWrongRequest, "invalid given fullname")