Skip to content

Commit e836d04

Browse files
committed
fix(account): security fix
1 parent 36a542a commit e836d04

File tree

3 files changed

+24
-3
lines changed

3 files changed

+24
-3
lines changed

Diff for: src/models/user.js

+2
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,8 @@ userSchema.pre('save', function (next) {
100100
return next()
101101
}
102102

103+
if (user.password.toString().length > 255) user.password = utils.applyMaxTextLength(user.password)
104+
103105
bcrypt.genSalt(SALT_FACTOR, function (err, salt) {
104106
if (err) return next(err)
105107

Diff for: src/public/js/angularjs/controllers/profile.js

+19
Original file line numberDiff line numberDiff line change
@@ -45,13 +45,32 @@ define([
4545
}, 0)
4646
}
4747

48+
function validateEmail (email) {
49+
return String(email)
50+
.toLowerCase()
51+
.match(
52+
/^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
53+
)
54+
}
55+
4856
$scope.updateUser = function ($event) {
4957
$event.preventDefault()
5058

5159
var id = $('div[data-user_id]').attr('data-user_id')
5260
if (_.isUndefined(id)) return
5361
var data = getFormData()
5462

63+
if (
64+
data.fullname.toString().length > 25 ||
65+
data.password.toString().length > 255 ||
66+
data.cPassword.toString().length > 255 ||
67+
data.email.toString().length > 255 ||
68+
!validateEmail(data.email.toString())
69+
) {
70+
helpers.UI.showSnackbar('Form data invalid.', true)
71+
return false
72+
}
73+
5574
$http
5675
.put('/api/v1/users/' + data.username, {
5776
aId: id,

Diff for: src/views/subviews/profile.hbs

+3-3
Original file line numberDiff line numberDiff line change
@@ -92,15 +92,15 @@
9292
</div>
9393
<div class="uk-margin-medium-bottom">
9494
<label for="aPass">Password</label>
95-
<input id="aPass" class="md-input" name="aPass" type="password" />
95+
<input id="aPass" class="md-input" name="aPass" type="password" data-validation="length" data-validation-length="max255" data-validation-error-msg="Password too long. Maximum length is 25 characters." />
9696
</div>
9797
<div class="uk-margin-medium-bottom">
9898
<label for="aPassConfirm">Confirm Password</label>
99-
<input id="aPassConfirm" class="md-input" name="aPassConfirm" type="password" />
99+
<input id="aPassConfirm" class="md-input" name="aPassConfirm" type="password" data-validation="length" data-validation-length="max255" data-validation-error-msg="Password too long. Maximum length is 25 characters." />
100100
</div>
101101
<div class="uk-margin-medium-bottom">
102102
<label for="aEmail">Email</label>
103-
<input id="aEmail" class="md-input" name="aEmail" type="email" value="{{data.account.email}}"/>
103+
<input id="aEmail" class="md-input" name="aEmail" type="email" value="{{data.account.email}}" data-validation="email" data-validation-error-msg="Please enter a valid email address."/>
104104
</div>
105105
<div class="uk-clearfix">
106106
<button type="submit" class="uk-float-right md-btn md-btn-small md-btn-success md-btn-wave-light" ng-click="updateUser($event)">Save</button>

0 commit comments

Comments
 (0)